programs: sandboxer: allow disable net access
This commit is contained in:
parent
7b9b3344a0
commit
bc85169e3d
|
@ -54,7 +54,14 @@ let
|
|||
whitelistPwd
|
||||
wrapperType
|
||||
;
|
||||
vpn = if net == "vpn" then vpn else null;
|
||||
netDev = if net == "vpn" then
|
||||
vpn.bridgeDevice
|
||||
else
|
||||
net;
|
||||
dns = if net == "vpn" then
|
||||
vpn.dns
|
||||
else
|
||||
null;
|
||||
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths ++ [
|
||||
".config/mimeo" #< TODO: required, until i fully integrate xdg-open into sandboxing. else, `xdg-open https://...` inifinite-loops.
|
||||
];
|
||||
|
@ -214,12 +221,13 @@ let
|
|||
'';
|
||||
};
|
||||
net = mkOption {
|
||||
type = types.enum [ "clearnet" "vpn" ];
|
||||
type = types.enum [ null "clearnet" "vpn" ];
|
||||
default = "clearnet";
|
||||
description = ''
|
||||
how this app should have its network traffic routed.
|
||||
- "clearnet" for unsandboxed network.
|
||||
- "vpn" to route all traffic over the default VPN.
|
||||
- "clearnet": for unsandboxed network.
|
||||
- "vpn": to route all traffic over the default VPN.
|
||||
- null: to maximally isolate from the network.
|
||||
'';
|
||||
};
|
||||
sandbox.method = mkOption {
|
||||
|
|
|
@ -229,7 +229,7 @@ let
|
|||
};
|
||||
});
|
||||
|
||||
make-sandboxed = { pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? null, binMap ? {}, capabilities ? [], embedProfile ? false, embedSandboxer ? false, extraConfig ? [], whitelistPwd ? false }@args:
|
||||
make-sandboxed = { pkgName, package, method, wrapperType, netDev ? null, dns ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? null, binMap ? {}, capabilities ? [], embedProfile ? false, embedSandboxer ? false, extraConfig ? [], whitelistPwd ? false }@args:
|
||||
let
|
||||
unsandboxed = package;
|
||||
sane-sandboxed' = if embedSandboxer then
|
||||
|
@ -253,22 +253,25 @@ let
|
|||
|
||||
capabilityFlags = lib.flatten (builtins.map (c: [ "--sane-sandbox-cap" c ]) capabilities);
|
||||
|
||||
vpnItems = [
|
||||
netItems = lib.optionals (netDev != null) [
|
||||
"--sane-sandbox-net"
|
||||
vpn.bridgeDevice
|
||||
] ++ lib.flatten (builtins.map (addr: [
|
||||
"--sane-sandbox-dns"
|
||||
addr
|
||||
]) vpn.dns);
|
||||
netDev
|
||||
] ++ lib.optionals (dns != null) (
|
||||
lib.flatten (builtins.map
|
||||
(addr: [ "--sane-sandbox-dns" addr ])
|
||||
dns
|
||||
)
|
||||
);
|
||||
|
||||
sandboxFlags = [
|
||||
"--sane-sandbox-method" method
|
||||
] ++ allowPaths allowedRootPaths
|
||||
]
|
||||
++ netItems
|
||||
++ allowPaths allowedRootPaths
|
||||
++ allowHomePaths allowedHomePaths
|
||||
++ capabilityFlags
|
||||
++ lib.optionals (autodetectCliPaths != null) [ "--sane-sandbox-autodetect" autodetectCliPaths ]
|
||||
++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
|
||||
++ lib.optionals (vpn != null) vpnItems
|
||||
++ extraConfig;
|
||||
|
||||
sandboxProfilesPkg = writeTextFile {
|
||||
|
|
|
@ -286,6 +286,11 @@ bwrapIngestPath() {
|
|||
# test -r "$1" && bwrapFlags+=("--dev-bind-try" "$1" "$1")
|
||||
bwrapFlags+=("--dev-bind-try" "$1" "$1")
|
||||
}
|
||||
bwrapIngestNet() {
|
||||
debug "bwrapIngestNet: enabling full net access for '$1' because don't know how to restrict it more narrowly"
|
||||
# N.B.: `--share-net` will override any earlier call to `--unshare-net`
|
||||
bwrapFlags+=("--share-net")
|
||||
}
|
||||
bwrapIngestProfile() {
|
||||
debug "bwrapIngestProfile: stubbed"
|
||||
}
|
||||
|
@ -296,7 +301,7 @@ bwrapIngestCapability() {
|
|||
|
||||
bwrapExec() {
|
||||
PATH="$PATH:@bubblewrap@/bin" exec \
|
||||
bwrap --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||
bwrap --unshare-net --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||
"${cliArgs[@]}"
|
||||
}
|
||||
|
||||
|
@ -340,6 +345,9 @@ landlockIngestPath() {
|
|||
fi
|
||||
fi
|
||||
}
|
||||
landlockIngestNet() {
|
||||
debug "landlockIngestNet: '$1': stubbed (landlock network is always unrestricted)"
|
||||
}
|
||||
landlockIngestProfile() {
|
||||
debug "landlockIngestProfile: stubbed"
|
||||
}
|
||||
|
@ -367,6 +375,9 @@ capshonlySetup() {
|
|||
capshonlyIngestPath() {
|
||||
debug "capshonlyIngestPath: stubbed"
|
||||
}
|
||||
capshonlyIngestNet() {
|
||||
debug "capshonlyIngestNet: '$1': stubbed (capsh network is always unrestricted)"
|
||||
}
|
||||
capshonlyIngestProfile() {
|
||||
debug "capshonlyIngestProfile: stubbed"
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user