todo.md: sync
This commit is contained in:
parent
634520a1e9
commit
8c6bf07102
22
TODO.md
22
TODO.md
|
@ -3,13 +3,13 @@
|
|||
- ringer (i.e. dino incoming call) doesn't prevent moby from sleeping
|
||||
- `nix` operations from lappy hang when `desko` is unreachable
|
||||
- could at least direct the cache to `http://desko-hn:5001`
|
||||
- entering the wrong password in unl0kr hangs the TTY
|
||||
|
||||
## REFACTORING:
|
||||
|
||||
- fold hosts/common/home/ssh.nix -> hosts/common/users/colin.nix
|
||||
|
||||
### sops/secrets
|
||||
- attach secrets to the thing they're used by (sane.programs)
|
||||
- rework secrets to leverage `sane.fs`
|
||||
- remove sops activation script as it's covered by my systemd sane.fs impl
|
||||
|
||||
|
@ -22,7 +22,6 @@
|
|||
- bump nodejs version in lemmy-ui
|
||||
- add updateScripts to all my packages in nixpkgs
|
||||
- fix lightdm-mobile-greeter for newer libhandy
|
||||
- port zecwallet-lite to a from-source build
|
||||
- REVIEW/integrate jellyfin dataDir config: <https://github.com/NixOS/nixpkgs/pull/233617>
|
||||
|
||||
#### upstreaming to non-nixpkgs repos
|
||||
|
@ -35,16 +34,22 @@
|
|||
- encrypt more ~ dirs (~/archives, ~/records, ..?)
|
||||
- best to do this after i know for sure i have good backups
|
||||
- port all sane.programs to be sandboxed
|
||||
- consider using *landlock* instead of bwrap: conceptually simpler and fewer restrictions with the capabilities system
|
||||
- <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c>
|
||||
- enforce that all `environment.packages` has a bwrap profile (or explicitly opts out)
|
||||
- integrate `xdg-open` with the bwrap profiles
|
||||
- enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
|
||||
- integrate `xdg-open` with the sandbox profiles
|
||||
- xdg-open can run as a highly-permissioned service, fielding requests.
|
||||
- when it determines the handler, it can enforce the bwrap profile on that handler's behalf,
|
||||
- when it determines the handler, it can enforce the sandbox profile on that handler's behalf,
|
||||
ensuring that anything launched with xdg-open is lowly-permissioned.
|
||||
- then, the actual desktop can be permissioned *lower*. e.g. no access to ~/.ssh, even in nautilus.
|
||||
`xdg-open terminal` would grant a high-permission interactive terminal, for doing high-permissioned things.
|
||||
- i think there's already a xdg-open dbus equivalent in gnome. search "firejail URL issue"
|
||||
- ALTERNATIVELY:
|
||||
1. compute the closure of each program and its `suggestedPrograms`
|
||||
2. jump into a sandbox for the above
|
||||
3. launch some program which fields requests and passes them to xdg-open
|
||||
4. launch the original program we seek to sandbox in a _nested_ sandbox, of just its own files, but with xdg-open aliased to forward requests to the proxy.
|
||||
- i don't know how exactly the proxy works: `mkfifo`? a TCP socket that traverses a network namespace? there's some complexity here.
|
||||
- this is sort of just a more sophisticated version of the above.
|
||||
- computing sandbox unions is probably far more difficult than it appears. e.g. what to do when a `bwrap` program wishes to call a `landlock` program? how is that outer scope to be sandboxed? my sandboxes are already frail enough that making them dynamic like this will surely cause unpredictable breakages.
|
||||
- lock down dbus calls within the sandbox
|
||||
- otherwise anyone can `systemd-run --user ...` to potentially escape a sandbox
|
||||
- <https://github.com/flatpak/xdg-dbus-proxy>
|
||||
|
@ -54,9 +59,6 @@
|
|||
- e.g. daily email checks; daily backup checks
|
||||
- integrate `nix check` into Gitea actions?
|
||||
|
||||
### faster/better deployments
|
||||
- remove audacity's dependency on webkitgtk (via wxwidgets)
|
||||
|
||||
### user experience
|
||||
- install apps:
|
||||
- display QR codes for WiFi endpoints: <https://linuxphoneapps.org/apps/noappid.wisperwind.wifi2qr/>
|
||||
|
|
Loading…
Reference in New Issue
Block a user