From 838c6d7dc835ce5c49d58985fdc659d8af950a92 Mon Sep 17 00:00:00 2001 From: Colin Date: Thu, 15 Feb 2024 16:38:38 +0000 Subject: [PATCH] programs: swaync: sandbox --- .../programs/swaynotificationcenter.nix | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/hosts/common/programs/swaynotificationcenter.nix b/hosts/common/programs/swaynotificationcenter.nix index 24937efe..62f69379 100644 --- a/hosts/common/programs/swaynotificationcenter.nix +++ b/hosts/common/programs/swaynotificationcenter.nix @@ -146,6 +146,36 @@ in ''; })); + sandbox.method = "bwrap"; + sandbox.wrapperType = "wrappedDerivation"; + sandbox.whitelistAudio = true; + sandbox.whitelistDbus = [ + "user" # mpris; portal + "system" # backlight + ]; + sandbox.whitelistWayland = true; + sandbox.extraPaths = [ + "/sys/class/backlight" + "/sys/devices" + ]; + sandbox.extraRuntimePaths = [ + # systemd/private allows one to `systemctl --user {status,start,stop,...}` + # notably, it does *not* allow for `systemd-run` (that's dbus: org.freedesktop.systemd1.Manager.StartTransientUnit). + # that doesn't necessarily mean this is entirely safe against privilege escalation though. + # TODO: audit the safety of this systemd sandboxing. + # few alternatives: + # - superd + # - simply `xdg-open app://dino`, etc. `pkill` to stop, `pgrep` to query. + # - more robust: `xdg-open sane-service://start?service=dino` + # - still need `pgrep` to query if it's running, or have the service mark a pid file + # - dbus activation for each app + "systemd/private" + ]; + sandbox.extraConfig = [ + # systemctl calls seem to require same pid namespace + "--sane-sandbox-keep-pidspace" + ]; + # glib/gio applications support many notification backends ("portal", "gtk", "freedesktop", ...). # swaync implements only the `org.freedesktop.Notifications` dbus interface ("freedesktop"/fdo). # however gio applications may be tricked into using one of the other backends, particularly