diff --git a/modules/programs/default.nix b/modules/programs/default.nix index b2173956f..d9d6d2bd5 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -301,7 +301,8 @@ let }; sandbox.enable = mkOption { type = types.bool; - default = true; + default = saneCfg.sandbox.enable; + apply = value: saneCfg.sandbox.enable && value; }; sandbox.embedSandboxer = mkOption { type = types.bool; @@ -509,17 +510,19 @@ let else wrapPkg name config config.packageUnwrapped ; - suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [ - "sanebox" "bubblewrap" "passt" "iproute2" "iptables" - ] ++ lib.optionals (config.sandbox.method == "landlock") [ - "sanebox" "landlock-sandboxer" "capsh" - ] ++ lib.optionals (config.sandbox.method == "pastaonly") [ - "sanebox" "passt" "iproute2" "iptables" "capsh" - ] ++ lib.optionals (config.sandbox.method == "capshonly") [ - "sanebox" "capsh" - ] ++ lib.optionals (config.sandbox.method == "bunpen") [ - "bunpen" - ]; + suggestedPrograms = lib.mkIf saneCfg.sandbox.enable ( + lib.optionals (config.sandbox.method == "bwrap") [ + "sanebox" "bubblewrap" "passt" "iproute2" "iptables" + ] ++ lib.optionals (config.sandbox.method == "landlock") [ + "sanebox" "landlock-sandboxer" "capsh" + ] ++ lib.optionals (config.sandbox.method == "pastaonly") [ + "sanebox" "passt" "iproute2" "iptables" "capsh" + ] ++ lib.optionals (config.sandbox.method == "capshonly") [ + "sanebox" "capsh" + ] ++ lib.optionals (config.sandbox.method == "bunpen") [ + "bunpen" + ] + ); # declare a fs dependency for each secret, but don't specify how to populate it yet. # can't populate it here because it varies per-user. # this gets the symlink into the sandbox, but not the actual secret. @@ -590,11 +593,11 @@ let configs = lib.mapAttrsToList (name: p: { assertions = [ { - assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert"; + assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.sandbox.strict != "assert"; message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false."; } { - assertion = p.sandbox.net == "all" || p.sandbox.method != null || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert"; + assertion = p.sandbox.net == "all" || p.sandbox.method != null || !p.enabled || p.package == null || config.sane.sandbox.strict != "assert"; message = ''program "${name}" requests net "${builtins.toString p.sandbox.net}", which requires sandboxing, but sandboxing wasn't configured''; } ] ++ builtins.map (sug: { @@ -602,7 +605,7 @@ let message = ''program "${sug}" referenced by "${name}", but not defined''; }) p.suggestedPrograms; - warnings = lib.mkIf (config.sane.strictSandboxing == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [ + warnings = lib.mkIf (config.sane.sandbox.strict == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [ "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false." ]; @@ -689,13 +692,20 @@ in set to 0 to get the fastest, but most restrictive build. ''; }; - sane.strictSandboxing = mkOption { + sane.sandbox.strict = mkOption { type = types.enum [ false "warn" "assert" ]; default = "warn"; description = '' whether to require that every `sane.program` explicitly specify its sandbox settings. ''; }; + sane.sandbox.enable = mkOption { + type = types.bool; + default = true; + description = '' + whether to sandbox any programs at all + ''; + }; }; config =