colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

refactor: sandboxing: replace manual --sanebox-keep-namespace pid config with isolatePids = false

Browse Source
This commit is contained in:
Colin 2024-05-29 12:33:18 +00:00
parent 7c8a18ecbd
commit d865be952a
11 changed files with 25 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hosts/common/programs/assorted.nix
View File

@ -558,9 +558,7 @@ in
});
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
forkstat.sandbox.extraConfig = [
"--sanebox-keep-namespace" "pid"
];
forkstat.sandbox.isolatePids = false;
forkstat.sandbox.extraPaths = [
"/proc"
];
@ -923,9 +921,7 @@ in
# procps: free, pgrep, pidof, pkill, ps, pwait, top, uptime, couple others
procps.sandbox.method = "bwrap";
procps.sandbox.extraConfig = [
"--sanebox-keep-namespace" "pid"
];
procps.sandbox.isolatePids = false;
pstree.sandbox.method = "landlock";
pstree.sandbox.extraPaths = [

8
hosts/common/programs/blast-ugjka/default.nix
View File

@ -39,11 +39,9 @@ in
sandbox.method = "bwrap";
sandbox.whitelistAudio = true;
sandbox.net = "clearnet";
sandbox.extraConfig = [
# else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
# might be possible to remove this, but kinda hard to see a clean way.
"--sanebox-keep-namespace" "pid"
];
#v else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
#v might be possible to remove this, but kinda hard to see a clean way.
sandbox.isolatePids = false;
suggestedPrograms = [ "blast-ugjka" "sane-die-with-parent" ];
};

4
hosts/common/programs/dbus.nix
View File

@ -36,9 +36,7 @@ in
sandbox.extraRuntimePaths = [
"/" #< it needs to create a file in the root. TODO: move the bus handle into a sandboxable subdirectory
];
sandbox.extraConfig = [
"--sanebox-keep-namespace" "pid" #< not actually sure *why* this is necessary, but it is
];
sandbox.isolatePids = false; #< not actually sure *why* this is necessary, but it is
env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus";

8
hosts/common/programs/megapixels.nix
View File

@ -52,11 +52,9 @@
sandbox.extraRuntimePaths = [
"dconf" #< else it's very spammy, and slow
];
sandbox.extraConfig = [
# XXX(2024/04/21): without this it fails to convert .dng -> .jpg.
# "bwrap: open /proc/34/ns/ns failed: No such file or directory"
"--sanebox-keep-namespace" "pid"
];
# XXX(2024/04/21): without this it fails to convert .dng -> .jpg.
# "bwrap: open /proc/34/ns/ns failed: No such file or directory"
sandbox.isolatePids = false;
suggestedPrograms = [ "dconf" ]; #< not sure if necessary
};

4
hosts/common/programs/pipewire.nix
View File

@ -60,9 +60,7 @@ in
# "system"
# ];
sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
sandbox.extraConfig = [
"--sanebox-keep-namespace" "pid"
];
sandbox.isolatePids = false; #< TODO: why?
sandbox.capabilities = [
# if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
"ipc_lock"

4
hosts/common/programs/rofi/default.nix
View File

@ -112,9 +112,7 @@ in
"/mnt/servo/media"
"/mnt/servo/playground"
];
sandbox.extraConfig = [
"--sanebox-keep-namespace" "pid" # for sane-open to toggle keyboard
];
sandbox.isolatePids = false; # for sane-open to toggle keyboard
fs.".config/rofi/config.rasi".symlink.target = ./config.rasi;
fs."Apps".symlink.target = ".local/share/applications/rofi-applications.desktop";

4
hosts/common/programs/sane-input-handler/default.nix
View File

@ -97,9 +97,7 @@ in
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; #< to launch applications
sandbox.extraRuntimePaths = [ "sway" ];
sandbox.extraConfig = [
"--sanebox-keep-namespace" "pid"
];
sandbox.isolatePids = false; #< for toggling the keyboard
};
# sane.programs.actkbd = {

4
hosts/common/programs/sane-open.nix
View File

@ -4,9 +4,7 @@
sandbox.method = "bwrap";
sandbox.autodetectCliPaths = "existing"; # for when opening a file
sandbox.whitelistDbus = [ "user" ];
sandbox.extraConfig = [
"--sanebox-keep-namespace" "pid" # to toggle keyboard
];
sandbox.isolatePids = false; #< to toggle keyboard
sandbox.extraHomePaths = [
".local/share/applications"
];

5
hosts/common/programs/swaynotificationcenter/default.nix
View File

@ -47,10 +47,7 @@ in
};
sandbox.method = "bwrap";
sandbox.whitelistDbus = [ "user" ];
sandbox.extraConfig = [
# `swaync-fbcli stop` needs to be able to find the corresponding `swaync-fbcli start` process
"--sanebox-keep-namespace" "pid"
];
sandbox.isolatePids = false; # `swaync-fbcli stop` needs to be able to find the corresponding `swaync-fbcli start` process
};
sane.programs.swaynotificationcenter = {

5
hosts/common/programs/wireplumber.nix
View File

@ -20,10 +20,7 @@
"/sys/class/video4linux"
"/sys/devices"
];
# sandbox.extraConfig = [
# # needed if i want rtkit to grant this higher scheduling priority
# "--sanebox-keep-namespace" "pid"
# ];
sandbox.isolatePids = false; #< needed if i want rtkit to grant this higher scheduling priority
suggestedPrograms = [ "alsa-ucm-conf" ];

11
modules/programs/default.nix
View File

@ -309,6 +309,13 @@ let
e.g. sandbox.capabilities = [ "net_admin" "net_raw" ];
'';
};
sandbox.isolatePids = mkOption {
type = types.bool;
default = true;
description = ''
whether to place the process in a new PID namespace, if the sandboxer supports that.
'';
};
sandbox.whitelistAudio = mkOption {
type = types.bool;
default = false;
@ -475,8 +482,10 @@ let
++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}")
++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}")
;
sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [
sandbox.extraConfig = lib.optionals config.sandbox.usePortal [
"--sanebox-portal"
] ++ lib.optionals (!config.sandbox.isolatePids) [
"--sanebox-keep-namespace" "pid"
];
};
});