programs: sandbox more apps with wrapperType=wrappedDerivation
This commit is contained in:
@@ -30,6 +30,7 @@
|
|||||||
});
|
});
|
||||||
};
|
};
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
# ".config/Holy Pangolin/Animatch" #< used for SuperDerpy config (e.g. debug, disableTouch, fullscreen, enable sound, etc). SuperDerpy.ini
|
# ".config/Holy Pangolin/Animatch" #< used for SuperDerpy config (e.g. debug, disableTouch, fullscreen, enable sound, etc). SuperDerpy.ini
|
||||||
".local/share/Holy Pangolin/Animatch" #< used for game state (level clears). SuperDerpy.ini
|
".local/share/Holy Pangolin/Animatch" #< used for game state (level clears). SuperDerpy.ini
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.dialect = {
|
sane.programs.dialect = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
".config/dconf" # to persist settings
|
".config/dconf" # to persist settings
|
||||||
];
|
];
|
||||||
|
|||||||
@@ -46,6 +46,7 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
|
||||||
persist.byStore.private = [ ".local/share/dino" ];
|
persist.byStore.private = [ ".local/share/dino" ];
|
||||||
|
|
||||||
|
|||||||
@@ -8,6 +8,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.element-desktop = {
|
sane.programs.element-desktop = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
packageUnwrapped = pkgs.element-desktop.override {
|
packageUnwrapped = pkgs.element-desktop.override {
|
||||||
# use pre-build electron because otherwise it takes 4 hrs to build from source.
|
# use pre-build electron because otherwise it takes 4 hrs to build from source.
|
||||||
electron = pkgs.electron-bin;
|
electron = pkgs.electron-bin;
|
||||||
|
|||||||
@@ -9,6 +9,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.epiphany = {
|
sane.programs.epiphany = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "inplace"; # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
|
||||||
sandbox.extraConfig = [
|
sandbox.extraConfig = [
|
||||||
# default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
|
# default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
|
||||||
# enabling DRM (as below) seems to fix that.
|
# enabling DRM (as below) seems to fix that.
|
||||||
|
|||||||
@@ -28,6 +28,7 @@ in
|
|||||||
# packageUnwrapped = pkgs.fractal-next;
|
# packageUnwrapped = pkgs.fractal-next;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
|
||||||
configOption = with lib; mkOption {
|
configOption = with lib; mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
|
|||||||
@@ -9,6 +9,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.g4music = {
|
sane.programs.g4music = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
"Music"
|
"Music"
|
||||||
];
|
];
|
||||||
|
|||||||
@@ -20,6 +20,7 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
# geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
|
# geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
|
||||||
# TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.
|
# TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.
|
||||||
|
|||||||
@@ -34,6 +34,7 @@ in
|
|||||||
{
|
{
|
||||||
sane.programs.go2tv = {
|
sane.programs.go2tv = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = true;
|
||||||
# for GUI invocation, allow the common media directories
|
# for GUI invocation, allow the common media directories
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.imagemagick = {
|
sane.programs.imagemagick = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
sandbox.whitelistPwd = true;
|
sandbox.whitelistPwd = true;
|
||||||
sandbox.autodetectCliPaths = true; #< arg formatting is complicated enough that this won't always work.
|
sandbox.autodetectCliPaths = true; #< arg formatting is complicated enough that this won't always work.
|
||||||
packageUnwrapped = pkgs.imagemagick.override {
|
packageUnwrapped = pkgs.imagemagick.override {
|
||||||
|
|||||||
@@ -87,6 +87,7 @@ in
|
|||||||
{
|
{
|
||||||
sane.programs.neovim = {
|
sane.programs.neovim = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = true;
|
||||||
# sandbox.whitelistPwd = true;
|
# sandbox.whitelistPwd = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
|||||||
@@ -23,6 +23,7 @@ in
|
|||||||
|
|
||||||
packageUnwrapped = pkgs.signal-desktop-from-src;
|
packageUnwrapped = pkgs.signal-desktop-from-src;
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
|
||||||
# creds, media
|
# creds, media
|
||||||
persist.byStore.private = [
|
persist.byStore.private = [
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.spot = {
|
sane.programs.spot = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
|
secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
".cache/spot/img" # album art
|
".cache/spot/img" # album art
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.spotify = {
|
sane.programs.spotify = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "inplace"; # nontraditional package structure, where binaries live in /share/spotify
|
||||||
sandbox.extraConfig = [
|
sandbox.extraConfig = [
|
||||||
"--sane-sandbox-firejail-arg"
|
"--sane-sandbox-firejail-arg"
|
||||||
"--keep-dev-shm"
|
"--keep-dev-shm"
|
||||||
|
|||||||
@@ -8,6 +8,7 @@
|
|||||||
# useHardenedMalloc = false;
|
# useHardenedMalloc = false;
|
||||||
# };
|
# };
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
persist.byStore.cryptClearOnBoot = [
|
persist.byStore.cryptClearOnBoot = [
|
||||||
".local/share/tor-browser"
|
".local/share/tor-browser"
|
||||||
];
|
];
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.tuba = {
|
sane.programs.tuba = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
suggestedPrograms = [ "gnome-keyring" ];
|
suggestedPrograms = [ "gnome-keyring" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -11,6 +11,7 @@ in
|
|||||||
{
|
{
|
||||||
sane.programs.vlc = {
|
sane.programs.vlc = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = true;
|
||||||
persist.byStore.private = [
|
persist.byStore.private = [
|
||||||
# vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
|
# vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.wike = {
|
sane.programs.wike = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
|
sandbox.wrapperType = "inplace"; # share/wike/wike-sp refers back to the binaries and share
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
# wike sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
|
# wike sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
|
||||||
# TODO: these could maybe be mounted empty.
|
# TODO: these could maybe be mounted empty.
|
||||||
|
|||||||
Reference in New Issue
Block a user