refactor: sandboxing: replace manual --sanebox-keep-namespace pid
config with isolatePids = false
This commit is contained in:
parent
7c8a18ecbd
commit
d865be952a
|
@ -558,9 +558,7 @@ in
|
|||
});
|
||||
|
||||
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
|
||||
forkstat.sandbox.extraConfig = [
|
||||
"--sanebox-keep-namespace" "pid"
|
||||
];
|
||||
forkstat.sandbox.isolatePids = false;
|
||||
forkstat.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
];
|
||||
|
@ -923,9 +921,7 @@ in
|
|||
|
||||
# procps: free, pgrep, pidof, pkill, ps, pwait, top, uptime, couple others
|
||||
procps.sandbox.method = "bwrap";
|
||||
procps.sandbox.extraConfig = [
|
||||
"--sanebox-keep-namespace" "pid"
|
||||
];
|
||||
procps.sandbox.isolatePids = false;
|
||||
|
||||
pstree.sandbox.method = "landlock";
|
||||
pstree.sandbox.extraPaths = [
|
||||
|
|
|
@ -39,11 +39,9 @@ in
|
|||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.extraConfig = [
|
||||
# else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
|
||||
# might be possible to remove this, but kinda hard to see a clean way.
|
||||
"--sanebox-keep-namespace" "pid"
|
||||
];
|
||||
#v else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
|
||||
#v might be possible to remove this, but kinda hard to see a clean way.
|
||||
sandbox.isolatePids = false;
|
||||
suggestedPrograms = [ "blast-ugjka" "sane-die-with-parent" ];
|
||||
};
|
||||
|
||||
|
|
|
@ -36,9 +36,7 @@ in
|
|||
sandbox.extraRuntimePaths = [
|
||||
"/" #< it needs to create a file in the root. TODO: move the bus handle into a sandboxable subdirectory
|
||||
];
|
||||
sandbox.extraConfig = [
|
||||
"--sanebox-keep-namespace" "pid" #< not actually sure *why* this is necessary, but it is
|
||||
];
|
||||
sandbox.isolatePids = false; #< not actually sure *why* this is necessary, but it is
|
||||
|
||||
env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus";
|
||||
|
||||
|
|
|
@ -52,11 +52,9 @@
|
|||
sandbox.extraRuntimePaths = [
|
||||
"dconf" #< else it's very spammy, and slow
|
||||
];
|
||||
sandbox.extraConfig = [
|
||||
# XXX(2024/04/21): without this it fails to convert .dng -> .jpg.
|
||||
# "bwrap: open /proc/34/ns/ns failed: No such file or directory"
|
||||
"--sanebox-keep-namespace" "pid"
|
||||
];
|
||||
# XXX(2024/04/21): without this it fails to convert .dng -> .jpg.
|
||||
# "bwrap: open /proc/34/ns/ns failed: No such file or directory"
|
||||
sandbox.isolatePids = false;
|
||||
|
||||
suggestedPrograms = [ "dconf" ]; #< not sure if necessary
|
||||
};
|
||||
|
|
|
@ -60,9 +60,7 @@ in
|
|||
# "system"
|
||||
# ];
|
||||
sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
|
||||
sandbox.extraConfig = [
|
||||
"--sanebox-keep-namespace" "pid"
|
||||
];
|
||||
sandbox.isolatePids = false; #< TODO: why?
|
||||
sandbox.capabilities = [
|
||||
# if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
|
||||
"ipc_lock"
|
||||
|
|
|
@ -112,9 +112,7 @@ in
|
|||
"/mnt/servo/media"
|
||||
"/mnt/servo/playground"
|
||||
];
|
||||
sandbox.extraConfig = [
|
||||
"--sanebox-keep-namespace" "pid" # for sane-open to toggle keyboard
|
||||
];
|
||||
sandbox.isolatePids = false; # for sane-open to toggle keyboard
|
||||
|
||||
fs.".config/rofi/config.rasi".symlink.target = ./config.rasi;
|
||||
fs."Apps".symlink.target = ".local/share/applications/rofi-applications.desktop";
|
||||
|
|
|
@ -97,9 +97,7 @@ in
|
|||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; #< to launch applications
|
||||
sandbox.extraRuntimePaths = [ "sway" ];
|
||||
sandbox.extraConfig = [
|
||||
"--sanebox-keep-namespace" "pid"
|
||||
];
|
||||
sandbox.isolatePids = false; #< for toggling the keyboard
|
||||
};
|
||||
|
||||
# sane.programs.actkbd = {
|
||||
|
|
|
@ -4,9 +4,7 @@
|
|||
sandbox.method = "bwrap";
|
||||
sandbox.autodetectCliPaths = "existing"; # for when opening a file
|
||||
sandbox.whitelistDbus = [ "user" ];
|
||||
sandbox.extraConfig = [
|
||||
"--sanebox-keep-namespace" "pid" # to toggle keyboard
|
||||
];
|
||||
sandbox.isolatePids = false; #< to toggle keyboard
|
||||
sandbox.extraHomePaths = [
|
||||
".local/share/applications"
|
||||
];
|
||||
|
|
|
@ -47,10 +47,7 @@ in
|
|||
};
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistDbus = [ "user" ];
|
||||
sandbox.extraConfig = [
|
||||
# `swaync-fbcli stop` needs to be able to find the corresponding `swaync-fbcli start` process
|
||||
"--sanebox-keep-namespace" "pid"
|
||||
];
|
||||
sandbox.isolatePids = false; # `swaync-fbcli stop` needs to be able to find the corresponding `swaync-fbcli start` process
|
||||
};
|
||||
|
||||
sane.programs.swaynotificationcenter = {
|
||||
|
|
|
@ -20,10 +20,7 @@
|
|||
"/sys/class/video4linux"
|
||||
"/sys/devices"
|
||||
];
|
||||
# sandbox.extraConfig = [
|
||||
# # needed if i want rtkit to grant this higher scheduling priority
|
||||
# "--sanebox-keep-namespace" "pid"
|
||||
# ];
|
||||
sandbox.isolatePids = false; #< needed if i want rtkit to grant this higher scheduling priority
|
||||
|
||||
suggestedPrograms = [ "alsa-ucm-conf" ];
|
||||
|
||||
|
|
|
@ -309,6 +309,13 @@ let
|
|||
e.g. sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
'';
|
||||
};
|
||||
sandbox.isolatePids = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
whether to place the process in a new PID namespace, if the sandboxer supports that.
|
||||
'';
|
||||
};
|
||||
sandbox.whitelistAudio = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
|
@ -475,8 +482,10 @@ let
|
|||
++ lib.optionals (mainProgram != null) (whitelistDir ".config/${mainProgram}")
|
||||
++ lib.optionals (mainProgram != null) (whitelistDir ".local/share/${mainProgram}")
|
||||
;
|
||||
sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [
|
||||
sandbox.extraConfig = lib.optionals config.sandbox.usePortal [
|
||||
"--sanebox-portal"
|
||||
] ++ lib.optionals (!config.sandbox.isolatePids) [
|
||||
"--sanebox-keep-namespace" "pid"
|
||||
];
|
||||
};
|
||||
});
|
||||
|
|
Loading…
Reference in New Issue
Block a user