programs: geary: fix sandboxing
this is an UGLY one. geary itself uses bwrap, and that fails if it's sandboxed AT ALL in landlock (i.e. even with just / landlocked as RW). maybe this has to do with what landlock-sandboxer considers 'read/write' to be, and there's actually more file ops i need to enable on /
This commit is contained in:
parent
3b4884fcf1
commit
be06e61bfb
|
|
@ -19,7 +19,20 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
sandbox.method = null; # "firejail"; #< TODO: it crashes when i try to load an inbox
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraPaths = [
|
||||
# geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
|
||||
# TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.
|
||||
"/sys/block"
|
||||
"/sys/bus"
|
||||
"/sys/class"
|
||||
"/sys/dev"
|
||||
"/sys/devices"
|
||||
"/sys/fs"
|
||||
];
|
||||
# if sandbox.method == "landlock", then these dirs must exist in the sandbox, even if empty.
|
||||
# fs.".config/geary".dir = {};
|
||||
# fs.".local/share/folks".dir = {};
|
||||
|
||||
slowToBuild = true; # uses webkitgtk 4.1
|
||||
persist.byStore.private = [
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user