packages: reduce the number of packages which are using inplace sandbox wrapping

2024-02-28 17:35:40 +00:00
parent 7ca5ae84b7
commit 812c0c8029
14 changed files with 48 additions and 37 deletions
--- a/hosts/common/programs/aerc.nix
+++ b/hosts/common/programs/aerc.nix
@@ -4,7 +4,7 @@
 {
  sane.programs.aerc = {
    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "inplace";  #< /share/aerc/aerc.conf refers to other /share files by absolute path
    sandbox.net = "clearnet";
    secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin;
    mime.associations."x-scheme-handler/mailto" = "aerc.desktop";
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -215,7 +215,7 @@ in
    blanket.sandbox.whitelistWayland = true;

    blueberry.sandbox.method = "bwrap";
-    blueberry.sandbox.wrapperType = "inplace";  # /etc/xdg/autostart hardcodes paths
+    blueberry.sandbox.wrapperType = "inplace";  #< various /lib scripts refer to the bins by full path
    blueberry.sandbox.whitelistWayland = true;
    blueberry.sandbox.extraPaths = [
      "/dev/rfkill"
@@ -381,11 +381,11 @@ in
    fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];

    font-manager.sandbox.method = "bwrap";
-    font-manager.sandbox.wrapperType = "inplace";  # .desktop and dbus .service file refer to /libexec
-    font-manager.packageUnwrapped = pkgs.font-manager.override {
+    font-manager.sandbox.wrapperType = "wrappedDerivation";
+    font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
      # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
      withWebkit = false;
-    };
+    });

    forkstat.sandbox.method = "landlock";  #< doesn't seem to support bwrap
    forkstat.sandbox.wrapperType = "wrappedDerivation";
@@ -409,7 +409,7 @@ in
    ];

    gawk.sandbox.method = "bwrap";  # TODO:sandbox: untested
-    gawk.sandbox.wrapperType = "inplace";  # share/gawk libraries refer to /libexec
+    gawk.sandbox.wrapperType = "inplace";  # /share/gawk libraries refer to /libexec
    gawk.sandbox.autodetectCliPaths = true;

    gdb.sandbox.enable = false;  # gdb doesn't sandbox well. i don't know how you could.
@@ -443,7 +443,7 @@ in
    ];

    "gnome.gnome-calculator".sandbox.method = "bwrap";
-    "gnome.gnome-calculator".sandbox.wrapperType = "inplace";  # /libexec/gnome-calculator-search-provider
+    "gnome.gnome-calculator".sandbox.wrapperType = "wrappedDerivation";
    "gnome.gnome-calculator".sandbox.whitelistWayland = true;

    # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
@@ -458,7 +458,7 @@ in

    # gnome-disks
    "gnome.gnome-disk-utility".sandbox.method = "bwrap";
-    "gnome.gnome-disk-utility".sandbox.wrapperType = "inplace";  # /etc/xdg/autostart
+    "gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation";
    "gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
    "gnome.gnome-disk-utility".sandbox.whitelistWayland = true;

@@ -660,8 +660,9 @@ in

    lua = {};

+    "mate.engrampa".packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa;
    "mate.engrampa".sandbox.method = "bwrap";  # TODO:sandbox: untested
-    "mate.engrampa".sandbox.wrapperType = "inplace";
+    "mate.engrampa".sandbox.wrapperType = "wrappedDerivation";
    "mate.engrampa".sandbox.whitelistWayland = true;
    "mate.engrampa".sandbox.autodetectCliPaths = "existingOrParent";
    "mate.engrampa".sandbox.extraHomePaths = [
--- a/hosts/common/programs/firefox.nix
+++ b/hosts/common/programs/firefox.nix
@@ -234,7 +234,7 @@ in
      sane.programs.firefox = {
        inherit packageUnwrapped;
        sandbox.method = "bwrap";  # landlock works, but requires all of /proc to be linked
-        sandbox.wrapperType = "inplace";  # probably wrappedDerivation could work too.
+        sandbox.wrapperType = "inplace";  # trivial package; cheap enough to wrap inplace
        sandbox.net = "all";
        sandbox.whitelistAudio = true;
        sandbox.whitelistDbus = [ "user" ];  # mpris
--- a/hosts/common/programs/gnome-maps.nix
+++ b/hosts/common/programs/gnome-maps.nix
@@ -1,8 +1,9 @@
-{ ... }:
+{ pkgs, ... }:
 {
  sane.programs."gnome.gnome-maps" = {
+    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps;
    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";  #< dbus files
+    sandbox.wrapperType = "wrappedDerivation";
    sandbox.whitelistDri = true;  # for perf
    sandbox.whitelistDbus = [
      "system"  # system is required for non-portal location services
--- a/hosts/common/programs/gnome-weather.nix
+++ b/hosts/common/programs/gnome-weather.nix
@@ -4,7 +4,7 @@
 {
  sane.programs."gnome.gnome-weather" = {
    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "inplace";  #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
    suggestedPrograms = [ "dconf" ];  #< stores city/location settings
--- a/hosts/common/programs/nautilus.nix
+++ b/hosts/common/programs/nautilus.nix
@@ -1,16 +1,17 @@
 { pkgs, ... }:
 {
  sane.programs."gnome.nautilus" = {
-    packageUnwrapped = pkgs.gnome.nautilus.overrideAttrs (orig: {
+    # some of its dbus services don't even refer to real paths
+    packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.gnome.nautilus.overrideAttrs (orig: {
      # enable the "Audio and Video Properties" pane. see: <https://nixos.wiki/wiki/Nautilus>
      buildInputs = orig.buildInputs ++ (with pkgs.gst_all_1; [
        gst-plugins-good
        gst-plugins-bad
      ]);
-    });
+    }));

    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "wrappedDerivation";
    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/playerctl.nix
+++ b/hosts/common/programs/playerctl.nix
@@ -2,7 +2,7 @@
 {
  sane.programs.playerctl = {
    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "inplace";  #< /lib/pkgconfig/playerctl.pc refers to $out by full path
    sandbox.whitelistDbus = [ "user" ];  # notifications

    services.playerctld = {
--- a/hosts/common/programs/portfolio-filemanager.nix
+++ b/hosts/common/programs/portfolio-filemanager.nix
@@ -3,7 +3,7 @@
  sane.programs.portfolio-filemanager = {
    # this is all taken pretty directly from nautilus config
    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "wrappedDerivation";
    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/strings.nix
+++ b/hosts/common/programs/strings.nix
@@ -6,7 +6,7 @@
    packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.binutils-unwrapped "bin/strings";

    sandbox.method = "landlock";
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "inplace";  # trivial package; cheaper to wrap in place
    sandbox.autodetectCliPaths = "existing";
  };
 }
--- a/hosts/common/programs/tor-browser.nix
+++ b/hosts/common/programs/tor-browser.nix
@@ -8,7 +8,7 @@
    #   useHardenedMalloc = false;
    # };
    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "inplace";  # trivial package, so cheaper to wrap in-place
    sandbox.net = "clearnet";  # tor over VPN wouldn't make sense
    sandbox.whitelistAudio = true;
    sandbox.whitelistWayland = true;
--- a/hosts/common/programs/wireplumber.nix
+++ b/hosts/common/programs/wireplumber.nix
@@ -5,7 +5,7 @@ in
 {
  sane.programs.wireplumber = {
    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";  #< it ships systemd files in a non-standard /lib/systemd dir
+    sandbox.wrapperType = "wrappedDerivation";
    sandbox.whitelistDbus = [
      # i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
      # "system"
--- a/hosts/common/programs/xdg-desktop-portal-gtk.nix
+++ b/hosts/common/programs/xdg-desktop-portal-gtk.nix
@@ -8,7 +8,7 @@ in
    packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk;

    sandbox.method = "bwrap";
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "wrappedDerivation";
    sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/xdg-desktop-portal-wlr.nix
+++ b/hosts/common/programs/xdg-desktop-portal-wlr.nix
@@ -8,7 +8,7 @@ in
    packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr;

    sandbox.method = "bwrap";  # TODO:sandbox: untested
-    sandbox.wrapperType = "inplace";
+    sandbox.wrapperType = "wrappedDerivation";
    sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
    sandbox.whitelistWayland = true;

--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -81,13 +81,13 @@ let
        esac
      }
      sandboxWrap() {
-        _dir="$1"
-        _name="$2"
-        _profileFromBinMap="$(getProfileFromBinMap $_name)"
+        local _dir="$1"
+        local _name="$2"
+        local _profileFromBinMap="$(getProfileFromBinMap $_name)"

-        _profiles=("$_profileFromBinMap" "$_name" "${pkgName}" "${unwrapped.pname or ""}" "${unwrapped.name or ""}")
+        local _profiles=("$_profileFromBinMap" "$_name" "${pkgName}" "${unwrapped.pname or ""}" "${unwrapped.name or ""}")
        # filter to just the unique profiles
-        _profileArgs=(${extraSandboxArgsStr})
+        local _profileArgs=(${extraSandboxArgsStr})
        for _profile in "''${_profiles[@]}"; do
          if [ -n "$_profile" ] && ! [[ " ''${_profileArgs[@]} " =~ " $_profile " ]]; then
            _profileArgs+=("--sane-sandbox-profile" "$_profile")
@@ -117,7 +117,7 @@ let
      }

      crawlAndWrap() {
-        _dir="$1"
+        local _dir="$1"
        for _p in $(ls "$_dir/"); do
          if [ -x "$_dir/$_p" ] && ! [ -d "$_dir/$_p" ]; then
            sandboxWrap "$_dir" "$_p"
@@ -172,10 +172,10 @@ let
  fixHardcodedRefs = unsandboxed: sandboxedBin: unsandboxedNonBin: unsandboxedNonBin.overrideAttrs (prevAttrs: {
    postInstall = (prevAttrs.postInstall or "") + ''
      trySubstitute() {
-        _outPath="$1"
-        _pattern="$2"
-        _from=$(printf "$_pattern" "${unsandboxed}")
-        _to=$(printf "$_pattern" "${sandboxedBin}")
+        local _outPath="$1"
+        local _pattern="$2"
+        local _from=$(printf "$_pattern" "${unsandboxed}")
+        local _to=$(printf "$_pattern" "${sandboxedBin}")
        printf "applying known substitutions to %s\n" "$_outPath"
        # for closure efficiency, we only want to rewrite stuff which actually needs changing,
        # and allow unchanged stuff to remain as symlinks.
@@ -186,11 +186,19 @@ let
        fi
      }
      # fixup a few files i understand well enough
-      for d in $out/share/applications/*.desktop; do
-        trySubstitute "$d" "Exec=%s/bin/"
-      done
-      for d in $out/share/dbus-1/services/*.service; do
+      for d in \
+        $out/etc/xdg/autostart/*.desktop \
+        $out/lib/systemd/user/*.service \
+        $out/share/applications/*.desktop \
+        $out/share/dbus-1/services/*.service \
+        $out/share/systemd/user/*.service \
+      ; do
+        # dbus and desktop files
        trySubstitute "$d" "Exec=%s/bin/"
+        trySubstitute "$d" "Exec=%s/libexec/"
+        # systemd service files
+        trySubstitute "$d" "ExecStart=%s/bin/"
+        trySubstitute "$d" "ExecStart=%s/libexec/"
      done
    '';
    passthru = (prevAttrs.passthru or {}) // {