sane-vpn: port to sanebox/pasta (no more firejail)

2024-05-25 10:09:10 +00:00 · 2024-05-25 10:09:10 +00:00 · a5e1a804c9
commit a5e1a804c9
parent 7c6813ff37
2 changed files with 14 additions and 7 deletions
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@ -230,6 +230,8 @@ in
            priorityMain=${builtins.toString vpnCfg.priorityMain}
            priorityFwMark=${builtins.toString vpnCfg.priorityFwMark}
            bridgeDevice=${vpnCfg.bridgeDevice}
+            addrV4=${vpnCfg.addrV4}
+            name=${vpnCfg.name}
            dns=(${lib.concatStringsSep " " vpnCfg.dns})
          '';
        } // (lib.optionalAttrs vpnCfg.isDefault {
@ -239,10 +241,11 @@ in
      {}
      (builtins.attrNames config.sane.vpn);
    "sane-scripts.vpn".sandbox = {
-      method = "landlock";  #< bwrap can't handle `ip link` stuff even with cap_net_admin
-      net = "all";
-      capabilities = [ "net_admin" ];
-      extraHomePaths = [ ".config/sane-vpn" ];
+      enable = false;  #< bwrap can't handle `ip link`, and landlock can't handle bwrap/pasta for `sane-vpn do`
+      # method = "landlock";  #< bwrap can't handle `ip link` stuff even with cap_net_admin
+      # net = "all";
+      # capabilities = [ "net_admin" ];
+      # extraHomePaths = [ ".config/sane-vpn" ];
    };

    "sane-scripts.which".sandbox = {
--- a/pkgs/additional/sane-scripts/src/sane-vpn
+++ b/pkgs/additional/sane-scripts/src/sane-vpn
@ -1,6 +1,8 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -i bash -p coreutils-full -p sane-scripts.ip-check

+set -e
+
 usageDescription() {
  echo "sane-vpn: tool to route all system internet traffic through some VPN, or just one application's"
  echo 'and, thanks to cap_net_admin, we can do all this without superuser!'
@ -50,6 +52,8 @@ sourceVpn() {
  # - prioMain
  # - prioFwMark
  # - bridgeDevice
+  # - addrV4
+  # - name
  # - dns
  debug "sourcing: ~/.config/sane-vpn/vpns/$1"
  # TODO: don't blindly source this, but parse explicitly as `K=V`
@ -95,10 +99,10 @@ vpnToggle() {

 vpnDo() {
  debug "vpnDo with:"
-  debug "  bridgeDevice='$bridgeDevice'"
+  debug "  name='$name'"
+  debug "  addrV4='$addrV4'"
  debug "  dns='$dns'"
-  # TODO: switch to bwrap, or `sanebox`!
-  firejail --noprofile --net="$bridgeDevice" --dns="$dns" "$@"
+  sanebox --sanebox-method pastaonly --sanebox-net-dev "$name" --sanebox-net-gateway "$addrV4" --sanebox-dns "$dns" "$@"
 }

 usage() {