sandbox a bunch more apps
This commit is contained in:
parent
de11edffa5
commit
bfec531fa2
|
@ -221,6 +221,7 @@ in
|
|||
|
||||
|
||||
# INDIVIDUAL PACKAGE DEFINITIONS
|
||||
"cacert.unbundled".sandbox.enable = false;
|
||||
|
||||
cargo.persist.byStore.plaintext = [ ".cargo" ];
|
||||
|
||||
|
@ -228,8 +229,12 @@ in
|
|||
delfin.persist.byStore.private = [ ".config/delfin" ];
|
||||
|
||||
# creds, but also 200 MB of node modules, etc
|
||||
discord.sandbox.method = "bwrap";
|
||||
discord.persist.byStore.private = [ ".config/discord" ];
|
||||
|
||||
dtc.sandbox.method = "bwrap";
|
||||
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
|
||||
|
||||
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
||||
|
||||
# `emote` will show a first-run dialog based on what's in this directory.
|
||||
|
@ -237,28 +242,62 @@ in
|
|||
# TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience.
|
||||
emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
|
||||
|
||||
eza.sandbox.method = "landlock"; # ls replacement
|
||||
eza.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
eza.sandbox.autodetectCliPaths = true;
|
||||
eza.sandbox.whitelistPwd = true;
|
||||
|
||||
fd.sandbox.method = "landlock";
|
||||
fd.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
fd.sandbox.autodetectCliPaths = true;
|
||||
fd.sandbox.whitelistPwd = true;
|
||||
|
||||
ffmpeg.sandbox.method = "bwrap";
|
||||
ffmpeg.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
ffmpeg.sandbox.autodetectCliPaths = true;
|
||||
|
||||
file.sandbox.method = "bwrap";
|
||||
file.sandbox.autodetectCliPaths = true;
|
||||
|
||||
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
||||
|
||||
font-manager.sandbox.method = "bwrap";
|
||||
font-manager.packageUnwrapped = pkgs.font-manager.override {
|
||||
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
|
||||
withWebkit = false;
|
||||
};
|
||||
|
||||
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
gawk.sandbox.autodetectCliPaths = true;
|
||||
|
||||
gdb.sandbox.method = "landlock"; # TODO:sandbox: untested
|
||||
gdb.sandbox.autodetectCliPaths = true;
|
||||
|
||||
# MS GitHub stores auth token in .config
|
||||
# TODO: we can populate gh's stuff statically; it even lets us use the same oauth across machines
|
||||
gh.persist.byStore.private = [ ".config/gh" ];
|
||||
|
||||
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
||||
|
||||
# TODO: gnome-maps: move to own file
|
||||
"gnome.gnome-maps".persist.byStore.plaintext = [ ".cache/shumate" ];
|
||||
"gnome.gnome-maps".persist.byStore.private = [ ".local/share/maps-places.json" ];
|
||||
|
||||
# jq.sandbox.autodetectCliPaths = true; # liable to over-detect
|
||||
|
||||
mercurial.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
mercurial.sandbox.whitelistPwd = true;
|
||||
mimeo.sandbox.method = "capshonly"; # xdg-open replacement
|
||||
|
||||
# actual monero blockchain (not wallet/etc; safe to delete, just slow to regenerate)
|
||||
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
||||
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
||||
|
||||
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
||||
|
||||
nano.sandbox.method = "bwrap";
|
||||
nano.sandbox.autodetectCliPaths = true;
|
||||
|
||||
# settings (electron app)
|
||||
obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
|
||||
|
||||
|
@ -266,6 +305,19 @@ in
|
|||
requests
|
||||
]);
|
||||
|
||||
ripgrep.sandbox.method = "landlock";
|
||||
ripgrep.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
ripgrep.sandbox.autodetectCliPaths = true;
|
||||
ripgrep.sandbox.whitelistPwd = true;
|
||||
|
||||
rsync.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
rsync.sandbox.autodetectCliPaths = true;
|
||||
|
||||
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
sequoia.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
sequoia.sandbox.whitelistPwd = true;
|
||||
sequoia.sandbox.autodetectCliPaths = true;
|
||||
|
||||
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
||||
|
||||
# printer/filament settings
|
||||
|
@ -273,17 +325,43 @@ in
|
|||
|
||||
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
||||
|
||||
subversion.sandbox.method = "bwrap";
|
||||
subversion.sandbox.whitelistPwd = true;
|
||||
sudo.sandbox.enable = false;
|
||||
|
||||
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
||||
|
||||
tdesktop.persist.byStore.private = [ ".local/share/TelegramDesktop" ];
|
||||
|
||||
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
||||
|
||||
tcpdump.sandbox.method = "landlock";
|
||||
tcpdump.sandbox.autodetectCliPaths = true;
|
||||
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
tree.sandbox.method = "landlock";
|
||||
tree.sandbox.autodetectCliPaths = true;
|
||||
tree.sandbox.whitelistPwd = true;
|
||||
|
||||
unzip.sandbox.method = "bwrap";
|
||||
unzip.sandbox.autodetectCliPaths = true;
|
||||
unzip.sandbox.whitelistPwd = true;
|
||||
|
||||
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
visidata.sandbox.autodetectCliPaths = true;
|
||||
|
||||
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
||||
|
||||
wget.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||
|
||||
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
||||
|
||||
xdg-utils.sandbox.method = "capshonly";
|
||||
|
||||
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
|
||||
|
||||
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||
};
|
||||
|
||||
programs.feedbackd = lib.mkIf config.sane.programs.feedbackd.enabled {
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
{ pkgs, ... }:
|
||||
{
|
||||
sane.programs.imagemagick = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistPwd = true;
|
||||
sandbox.autodetectCliPaths = true; #< arg formatting is complicated enough that this won't always work.
|
||||
packageUnwrapped = pkgs.imagemagick.override {
|
||||
ghostscriptSupport = true;
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue
Block a user