colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: indirect firejail access through sane-sandboxed

Browse Source
This commit is contained in:
Colin 2024-01-23 03:48:09 +00:00
parent 2492ed2ca7
commit a4cb6645b4
3 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/programs/default.nix
View File

@ -38,7 +38,7 @@ let
package package
else if sandbox.method == "firejail" then else if sandbox.method == "firejail" then
let let
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { }; makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn); vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
in in
makeSandboxed { makeSandboxed {

15
modules/programs/make-sandboxed.nix
View File

@ -2,12 +2,11 @@
, firejail , firejail
, runCommand , runCommand
, runtimeShell , runtimeShell
, sane-sandboxed
}: }:
{ pkgName, package, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {} }: { pkgName, package, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {} }:
let let
# XXX: firejail needs suid bit for some (not all) of its sandboxing methods. hence, rely on the user installing it system-wide and call it by suid path. sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
# firejailBin = "/run/wrappers/bin/firejail";
firejailBin = "firejail";
allowPath = p: [ allowPath = p: [
"noblacklist ${p}" "noblacklist ${p}"
@ -93,11 +92,11 @@ let
mv "$out/bin/$name" "$out/bin/.$name-firejailed" mv "$out/bin/$name" "$out/bin/.$name-firejailed"
cat <<EOF >> "$out/bin/$name" cat <<EOF >> "$out/bin/$name"
#!${runtimeShell} #!${runtimeShell}
exec ${firejailBin} \ exec ${sane-sandboxed'} \
--include="${pkgName}.local" \ --sane-sandbox-firejail-arg --include="${pkgName}.local" \
--profile=":$firejailProfileName" \ --sane-sandbox-firejail-arg --profile=":$firejailProfileName" \
--join-or-start="$firejailProfileName" \ --sane-sandbox-firejail-arg --join-or-start="$firejailProfileName" \
-- "$out/bin/.$name-firejailed" "\$@" "$out/bin/.$name-firejailed" "\$@"
EOF EOF
chmod +x "$out/bin/$name" chmod +x "$out/bin/$name"
} }

1
modules/programs/sane-sandboxed.nix
View File

@ -29,5 +29,6 @@ stdenv.mkDerivation {
1. to abstract over the particular sandbox implementation (bwrap, firejail, ...). 1. to abstract over the particular sandbox implementation (bwrap, firejail, ...).
2. to modify sandbox settings without forcing a rebuild of the sandboxed package. 2. to modify sandbox settings without forcing a rebuild of the sandboxed package.
''; '';
mainProgram = "sane-sandboxed";
}; };
} }