colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: sandboxing: link /etc into sandboxed programs

Browse Source 
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
This commit is contained in:
Colin
2024-02-27 22:25:17 +00:00
parent 7fb7f72bc0
commit 8f424dcd5a
3 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/common/programs/assorted.nix
View File

@@ -213,7 +213,7 @@ in
blanket.sandbox.whitelistWayland = true; blanket.sandbox.whitelistWayland = true;
blueberry.sandbox.method = "bwrap"; blueberry.sandbox.method = "bwrap";
blueberry.sandbox.wrapperType = "wrappedDerivation"; blueberry.sandbox.wrapperType = "inplace"; # /etc/xdg/autostart hardcodes paths
blueberry.sandbox.whitelistWayland = true; blueberry.sandbox.whitelistWayland = true;
blueberry.sandbox.extraPaths = [ blueberry.sandbox.extraPaths = [
"/dev/rfkill" "/dev/rfkill"
@@ -448,7 +448,7 @@ in
# gnome-disks # gnome-disks
"gnome.gnome-disk-utility".sandbox.method = "bwrap"; "gnome.gnome-disk-utility".sandbox.method = "bwrap";
"gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation"; "gnome.gnome-disk-utility".sandbox.wrapperType = "inplace"; # /etc/xdg/autostart
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ]; "gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true; "gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
@@ -820,7 +820,7 @@ in
# use like `sudo smartctl /dev/sda -a` # use like `sudo smartctl /dev/sda -a`
smartmontools.sandbox.method = "landlock"; smartmontools.sandbox.method = "landlock";
smartmontools.sandbox.wrapperType = "wrappedDerivation"; smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin
smartmontools.sandbox.autodetectCliPaths = "existing"; smartmontools.sandbox.autodetectCliPaths = "existing";
smartmontools.sandbox.capabilities = [ "sys_rawio" ]; smartmontools.sandbox.capabilities = [ "sys_rawio" ];

2
hosts/common/programs/imagemagick.nix
View File

@@ -2,7 +2,7 @@
{ {
sane.programs.imagemagick = { sane.programs.imagemagick = {
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation"; sandbox.wrapperType = "inplace"; # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
sandbox.whitelistPwd = true; sandbox.whitelistPwd = true;
sandbox.autodetectCliPaths = "existingOrParent"; #< arg formatting is complicated enough that this won't always work. sandbox.autodetectCliPaths = "existingOrParent"; #< arg formatting is complicated enough that this won't always work.
packageUnwrapped = pkgs.imagemagick.override { packageUnwrapped = pkgs.imagemagick.override {

13
modules/programs/make-sandboxed.nix
View File

@@ -218,10 +218,15 @@ let
sandboxedWithoutFixedRefs = (runCommand "${pkgName}-sandboxed-non-binary" {} '' sandboxedWithoutFixedRefs = (runCommand "${pkgName}-sandboxed-non-binary" {} ''
set -e set -e
mkdir "$out" mkdir "$out"
if [ -e "${unsandboxed}/share" ]; then # link in a limited subset of the directories.
mkdir "$out/share" # lib/ is the primary one to avoid, because of shared objects that would be unsandboxed if dlopen'd.
${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/share" "$out/share" # all other directories are safe-ish, because they won't end up on PATH or LDPATH.
fi for dir in etc share; do
if [ -e "${unsandboxed}/$dir" ]; then
mkdir "$out/$dir"
${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/$dir" "$out/$dir"
fi
done
runHook postInstall runHook postInstall
'').overrideAttrs (_: { '').overrideAttrs (_: {
# specifically for meta.priority, though it shouldn't actually matter here. # specifically for meta.priority, though it shouldn't actually matter here.