modules/programs: add ~/.config/FOO and ~/.local/share/FOO to the sandbox where applicable
This commit is contained in:
parent
68275eeb85
commit
cbbddee152
|
@ -78,7 +78,10 @@ let
|
|||
vpn.dns
|
||||
else
|
||||
null;
|
||||
inherit allowedPaths allowedHomePaths allowedRunPaths;
|
||||
# the sandboxer should understand how to work with duplicated paths, but it's annoying => `lib.unique`
|
||||
allowedPaths = lib.unique allowedPaths;
|
||||
allowedHomePaths = lib.unique allowedHomePaths;
|
||||
allowedRunPaths = lib.unique allowedRunPaths;
|
||||
};
|
||||
in
|
||||
makeSandboxed {
|
||||
|
@ -450,6 +453,21 @@ let
|
|||
++ lib.optionals config.sandbox.whitelistWayland [ "wayland" ] # app can still communicate with wayland server w/o this, if it has net access
|
||||
++ lib.optionals config.sandbox.whitelistS6 [ "s6" ] # TODO: this allows re-writing the services themselves: don't allow that!
|
||||
;
|
||||
sandbox.extraHomePaths = let
|
||||
whitelistDir = dir: lib.optionals (lib.any (p: lib.hasPrefix "${dir}/" p) (builtins.attrNames config.fs)) [
|
||||
dir
|
||||
];
|
||||
mainProgram = (config.packageUnwrapped.meta or {}).mainProgram or null;
|
||||
in
|
||||
# assume the program is free to access any files in ~/.config/<name>, ~/.local/share/<name> -- if those exist.
|
||||
# the benefit of this is that the program will see updates to its files made *outside* of the sandbox,
|
||||
# allowing e.g. manual modification of ~/.config/FOO/thing.json to be seen by the program.
|
||||
whitelistDir ".config/${name}"
|
||||
++ whitelistDir ".local/share/${name}"
|
||||
# some packages, e.g. swaynotificationcenter, store the config under the binary name instead of the package name
|
||||
++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}")
|
||||
++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}")
|
||||
;
|
||||
sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [
|
||||
"--sanebox-portal"
|
||||
];
|
||||
|
|
Loading…
Reference in New Issue
Block a user