From d865be952aaca86356d04e260f94e8a447405d80 Mon Sep 17 00:00:00 2001 From: Colin Date: Wed, 29 May 2024 12:33:18 +0000 Subject: [PATCH] refactor: sandboxing: replace manual `--sanebox-keep-namespace pid` config with `isolatePids = false` --- hosts/common/programs/assorted.nix | 8 ++------ hosts/common/programs/blast-ugjka/default.nix | 8 +++----- hosts/common/programs/dbus.nix | 4 +--- hosts/common/programs/megapixels.nix | 8 +++----- hosts/common/programs/pipewire.nix | 4 +--- hosts/common/programs/rofi/default.nix | 4 +--- hosts/common/programs/sane-input-handler/default.nix | 4 +--- hosts/common/programs/sane-open.nix | 4 +--- .../programs/swaynotificationcenter/default.nix | 5 +---- hosts/common/programs/wireplumber.nix | 5 +---- modules/programs/default.nix | 11 ++++++++++- 11 files changed, 25 insertions(+), 40 deletions(-) diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix index faba5029..54dee6da 100644 --- a/hosts/common/programs/assorted.nix +++ b/hosts/common/programs/assorted.nix @@ -558,9 +558,7 @@ in }); forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap - forkstat.sandbox.extraConfig = [ - "--sanebox-keep-namespace" "pid" - ]; + forkstat.sandbox.isolatePids = false; forkstat.sandbox.extraPaths = [ "/proc" ]; @@ -923,9 +921,7 @@ in # procps: free, pgrep, pidof, pkill, ps, pwait, top, uptime, couple others procps.sandbox.method = "bwrap"; - procps.sandbox.extraConfig = [ - "--sanebox-keep-namespace" "pid" - ]; + procps.sandbox.isolatePids = false; pstree.sandbox.method = "landlock"; pstree.sandbox.extraPaths = [ diff --git a/hosts/common/programs/blast-ugjka/default.nix b/hosts/common/programs/blast-ugjka/default.nix index cb2ca759..d6736bcb 100644 --- a/hosts/common/programs/blast-ugjka/default.nix +++ b/hosts/common/programs/blast-ugjka/default.nix @@ -39,11 +39,9 @@ in sandbox.method = "bwrap"; sandbox.whitelistAudio = true; sandbox.net = "clearnet"; - sandbox.extraConfig = [ - # else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?) - # might be possible to remove this, but kinda hard to see a clean way. - "--sanebox-keep-namespace" "pid" - ]; + #v else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?) + #v might be possible to remove this, but kinda hard to see a clean way. + sandbox.isolatePids = false; suggestedPrograms = [ "blast-ugjka" "sane-die-with-parent" ]; }; diff --git a/hosts/common/programs/dbus.nix b/hosts/common/programs/dbus.nix index ce52c38f..705c0907 100644 --- a/hosts/common/programs/dbus.nix +++ b/hosts/common/programs/dbus.nix @@ -36,9 +36,7 @@ in sandbox.extraRuntimePaths = [ "/" #< it needs to create a file in the root. TODO: move the bus handle into a sandboxable subdirectory ]; - sandbox.extraConfig = [ - "--sanebox-keep-namespace" "pid" #< not actually sure *why* this is necessary, but it is - ]; + sandbox.isolatePids = false; #< not actually sure *why* this is necessary, but it is env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus"; diff --git a/hosts/common/programs/megapixels.nix b/hosts/common/programs/megapixels.nix index ef8f0652..3864b7b4 100644 --- a/hosts/common/programs/megapixels.nix +++ b/hosts/common/programs/megapixels.nix @@ -52,11 +52,9 @@ sandbox.extraRuntimePaths = [ "dconf" #< else it's very spammy, and slow ]; - sandbox.extraConfig = [ - # XXX(2024/04/21): without this it fails to convert .dng -> .jpg. - # "bwrap: open /proc/34/ns/ns failed: No such file or directory" - "--sanebox-keep-namespace" "pid" - ]; + # XXX(2024/04/21): without this it fails to convert .dng -> .jpg. + # "bwrap: open /proc/34/ns/ns failed: No such file or directory" + sandbox.isolatePids = false; suggestedPrograms = [ "dconf" ]; #< not sure if necessary }; diff --git a/hosts/common/programs/pipewire.nix b/hosts/common/programs/pipewire.nix index 2e6757ae..a1d84986 100644 --- a/hosts/common/programs/pipewire.nix +++ b/hosts/common/programs/pipewire.nix @@ -60,9 +60,7 @@ in # "system" # ]; sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path - sandbox.extraConfig = [ - "--sanebox-keep-namespace" "pid" - ]; + sandbox.isolatePids = false; #< TODO: why? sandbox.capabilities = [ # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority "ipc_lock" diff --git a/hosts/common/programs/rofi/default.nix b/hosts/common/programs/rofi/default.nix index 6da3aa20..8f10d02a 100644 --- a/hosts/common/programs/rofi/default.nix +++ b/hosts/common/programs/rofi/default.nix @@ -112,9 +112,7 @@ in "/mnt/servo/media" "/mnt/servo/playground" ]; - sandbox.extraConfig = [ - "--sanebox-keep-namespace" "pid" # for sane-open to toggle keyboard - ]; + sandbox.isolatePids = false; # for sane-open to toggle keyboard fs.".config/rofi/config.rasi".symlink.target = ./config.rasi; fs."Apps".symlink.target = ".local/share/applications/rofi-applications.desktop"; diff --git a/hosts/common/programs/sane-input-handler/default.nix b/hosts/common/programs/sane-input-handler/default.nix index d9b37361..fb0d8bdb 100644 --- a/hosts/common/programs/sane-input-handler/default.nix +++ b/hosts/common/programs/sane-input-handler/default.nix @@ -97,9 +97,7 @@ in sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; #< to launch applications sandbox.extraRuntimePaths = [ "sway" ]; - sandbox.extraConfig = [ - "--sanebox-keep-namespace" "pid" - ]; + sandbox.isolatePids = false; #< for toggling the keyboard }; # sane.programs.actkbd = { diff --git a/hosts/common/programs/sane-open.nix b/hosts/common/programs/sane-open.nix index 90634275..ea9c860e 100644 --- a/hosts/common/programs/sane-open.nix +++ b/hosts/common/programs/sane-open.nix @@ -4,9 +4,7 @@ sandbox.method = "bwrap"; sandbox.autodetectCliPaths = "existing"; # for when opening a file sandbox.whitelistDbus = [ "user" ]; - sandbox.extraConfig = [ - "--sanebox-keep-namespace" "pid" # to toggle keyboard - ]; + sandbox.isolatePids = false; #< to toggle keyboard sandbox.extraHomePaths = [ ".local/share/applications" ]; diff --git a/hosts/common/programs/swaynotificationcenter/default.nix b/hosts/common/programs/swaynotificationcenter/default.nix index 51119af0..572aaf68 100644 --- a/hosts/common/programs/swaynotificationcenter/default.nix +++ b/hosts/common/programs/swaynotificationcenter/default.nix @@ -47,10 +47,7 @@ in }; sandbox.method = "bwrap"; sandbox.whitelistDbus = [ "user" ]; - sandbox.extraConfig = [ - # `swaync-fbcli stop` needs to be able to find the corresponding `swaync-fbcli start` process - "--sanebox-keep-namespace" "pid" - ]; + sandbox.isolatePids = false; # `swaync-fbcli stop` needs to be able to find the corresponding `swaync-fbcli start` process }; sane.programs.swaynotificationcenter = { diff --git a/hosts/common/programs/wireplumber.nix b/hosts/common/programs/wireplumber.nix index fde4a92b..eafe68b4 100644 --- a/hosts/common/programs/wireplumber.nix +++ b/hosts/common/programs/wireplumber.nix @@ -20,10 +20,7 @@ "/sys/class/video4linux" "/sys/devices" ]; - # sandbox.extraConfig = [ - # # needed if i want rtkit to grant this higher scheduling priority - # "--sanebox-keep-namespace" "pid" - # ]; + sandbox.isolatePids = false; #< needed if i want rtkit to grant this higher scheduling priority suggestedPrograms = [ "alsa-ucm-conf" ]; diff --git a/modules/programs/default.nix b/modules/programs/default.nix index c49cb92f..539db11c 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -309,6 +309,13 @@ let e.g. sandbox.capabilities = [ "net_admin" "net_raw" ]; ''; }; + sandbox.isolatePids = mkOption { + type = types.bool; + default = true; + description = '' + whether to place the process in a new PID namespace, if the sandboxer supports that. + ''; + }; sandbox.whitelistAudio = mkOption { type = types.bool; default = false; @@ -475,8 +482,10 @@ let ++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}") ++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}") ; - sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [ + sandbox.extraConfig = lib.optionals config.sandbox.usePortal [ "--sanebox-portal" + ] ++ lib.optionals (!config.sandbox.isolatePids) [ + "--sanebox-keep-namespace" "pid" ]; }; });