colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: sandbox with bunpen *by default*; manually opt out or opt to a different sandboxer where required

Browse Source
This commit is contained in:
Colin
2024-09-21 23:00:49 +00:00
parent b4662c838e
commit ea3eaf048e
9 changed files with 21 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
hosts/common/programs/assorted.nix
View File

@@ -677,7 +677,7 @@ in
# TODO: probably need /dev and such # TODO: probably need /dev and such
]; ];
gnome-screenshot = {}; gnome-screenshot.sandbox.method = null;
google-chrome.sandbox.enable = false; # google-chrome is my "pleeeaaase work" fallback, so let it do anything. google-chrome.sandbox.enable = false; # google-chrome is my "pleeeaaase work" fallback, so let it do anything.
@@ -805,7 +805,7 @@ in
# provides `ip`, `routel`, `bridge`, others. # provides `ip`, `routel`, `bridge`, others.
# landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace (which requires sudo) # landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace (which requires sudo)
# and that means we can't use ANY sandboxer for it. # and that means we can't use ANY sandboxer for it.
iproute2.sandbox.enable = false; iproute2.sandbox.method = null; #< TODO: sandbox
# iproute2.sandbox.net = "all"; # iproute2.sandbox.net = "all";
# iproute2.sandbox.capabilities = [ "net_admin" ]; # iproute2.sandbox.capabilities = [ "net_admin" ];
# iproute2.sandbox.extraPaths = [ # iproute2.sandbox.extraPaths = [
@@ -1127,7 +1127,7 @@ in
# snapshot camera, based on libcamera # snapshot camera, based on libcamera
# TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789> # TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
snapshot = {}; snapshot.sandbox.method = null; #< TODO: sandbox
sops.sandbox.method = "bunpen"; sops.sandbox.method = "bunpen";
sops.sandbox.extraHomePaths = [ sops.sandbox.extraHomePaths = [
@@ -1210,7 +1210,7 @@ in
tumiki-fighters.sandbox.whitelistWayland = true; tumiki-fighters.sandbox.whitelistWayland = true;
tumiki-fighters.sandbox.whitelistX = true; tumiki-fighters.sandbox.whitelistX = true;
util-linux.sandbox.enable = false; #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries util-linux.sandbox.method = null; #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries
unzip.sandbox.method = "bunpen"; unzip.sandbox.method = "bunpen";
unzip.sandbox.autodetectCliPaths = "existingOrParent"; unzip.sandbox.autodetectCliPaths = "existingOrParent";

1
hosts/common/programs/bunpen.nix
View File

@@ -13,6 +13,7 @@ in
''; '';
}); });
sandbox.enable = false; sandbox.enable = false;
sandbox.method = null; #< TODO: avoids infinite recursion in the sane.programs system
}; };
environment.pathsToLink = lib.mkIf cfg.enabled [ "/libexec/bunpen" ]; environment.pathsToLink = lib.mkIf cfg.enabled [ "/libexec/bunpen" ];

1
hosts/common/programs/gst-launch.nix
View File

@@ -20,5 +20,6 @@
pipewire pipewire
]); ]);
}); });
sandbox.method = null; #< TODO: sandbox
}; };
} }

4
hosts/common/programs/libcamera.nix
View File

@@ -3,7 +3,9 @@ let
cfg = config.sane.programs.libcamera; cfg = config.sane.programs.libcamera;
in in
{ {
sane.programs.libcamera = {}; sane.programs.libcamera = {
sandbox.method = null; #< TODO: sandbox
};
services.udev.extraRules = lib.mkIf cfg.enabled '' services.udev.extraRules = lib.mkIf cfg.enabled ''
# libcamera (snapshot, millipixels, ...) # libcamera (snapshot, millipixels, ...)
# see: <https://gitlab.com/postmarketOS/pmaports/-/merge_requests/5541> # see: <https://gitlab.com/postmarketOS/pmaports/-/merge_requests/5541>

1
hosts/common/programs/nix.nix
View File

@@ -2,6 +2,7 @@
{ {
sane.programs.nix = { sane.programs.nix = {
packageUnwrapped = pkgs.nixVersions.latest; packageUnwrapped = pkgs.nixVersions.latest;
sandbox.method = null; #< TODO: sandbox ?
env.NIXPKGS_ALLOW_UNFREE = "1"; #< FUCK OFF YOU'RE SO ANNOYING env.NIXPKGS_ALLOW_UNFREE = "1"; #< FUCK OFF YOU'RE SO ANNOYING
persist.byStore.plaintext = [ persist.byStore.plaintext = [
# ~/.cache/nix can become several GB; persisted to save RAM # ~/.cache/nix can become several GB; persisted to save RAM

2
hosts/common/programs/rofi/default.nix
View File

@@ -139,7 +139,7 @@ in
srcRoot = ./.; srcRoot = ./.;
pkgs = [ "sane-open" ]; pkgs = [ "sane-open" ];
}; };
sandbox.enable = false; #< trivial script, and all our deps are sandboxed sandbox.method = null; #< trivial script, and all our deps are sandboxed
suggestedPrograms = [ suggestedPrograms = [
"sane-open" "sane-open"

17
hosts/common/programs/sane-scripts.nix
View File

@@ -73,7 +73,7 @@ in
# the idea of this script is to `cd` into a fresh clone... # the idea of this script is to `cd` into a fresh clone...
# but that's an ephemeral operation that would be lost when the sandbox closes. # but that's an ephemeral operation that would be lost when the sandbox closes.
"sane-scripts.clone".sandbox.enable = false; "sane-scripts.clone".sandbox.method = null; #< TODO: sandbox
"sane-scripts.dev-cargo-loop".sandbox = { "sane-scripts.dev-cargo-loop".sandbox = {
method = "bwrap"; method = "bwrap";
@@ -124,16 +124,15 @@ in
".persist/private" ".persist/private"
]; ];
}; };
"sane-scripts.private-lock".sandbox.enable = false; "sane-scripts.private-lock".sandbox.method = null;
"sane-scripts.private-unlock".sandbox.enable = false; "sane-scripts.private-unlock".sandbox.method = null;
"sane-scripts.reclaim-boot-space".sandbox = { "sane-scripts.reclaim-boot-space".sandbox = {
method = "bunpen"; method = "bunpen";
extraPaths = [ "/boot" ]; extraPaths = [ "/boot" ];
}; };
# it's just a thin wrapper around rsync, which is already sandboxed "sane-scripts.rcp".sandbox.enable = false; # it's just a thin wrapper around rsync, which is already sandboxed
"sane-scripts.rcp".sandbox.enable = false;
# but make sure rsync is always on PATH, so that we actually do get sandboxing :) # but make sure rsync is always on PATH, so that we actually do get sandboxing :)
"sane-scripts.rcp".suggestedPrograms = [ "rsync" ]; "sane-scripts.rcp".suggestedPrograms = [ "rsync" ];
@@ -166,7 +165,7 @@ in
]; ];
# sane-secrets-update-keys is a thin wrapper around sops + some utilities. # sane-secrets-update-keys is a thin wrapper around sops + some utilities.
# really i should sandbox just the utilities # really i should sandbox just the utilities
"sane-scripts.secrets-update-keys".sandbox.enable = false; "sane-scripts.secrets-update-keys".sandbox.method = null;
"sane-scripts.secrets-update-keys".suggestedPrograms = [ "sane-scripts.secrets-update-keys".suggestedPrograms = [
"findutils" "findutils"
"sops" "sops"
@@ -196,7 +195,7 @@ in
"sane-scripts.sudo-redirect".sandbox.enable = false; "sane-scripts.sudo-redirect".sandbox.enable = false;
"sane-scripts.sync-music" = {}; "sane-scripts.sync-music" = {};
"sane-scripts.sync-from-iphone" = {}; "sane-scripts.sync-from-iphone".sandbox.method = null; #< TODO
"sane-scripts.tag-media".suggestedPrograms = [ "sane-scripts.tag-media".suggestedPrograms = [
"exiftool" #< for (slightly) better sandboxing than default exiftool "exiftool" #< for (slightly) better sandboxing than default exiftool
@@ -228,8 +227,8 @@ in
{} {}
(builtins.attrNames config.sane.vpn); (builtins.attrNames config.sane.vpn);
"sane-scripts.vpn".sandbox = { "sane-scripts.vpn".sandbox = {
enable = false; #< bwrap can't handle `ip link`, and landlock can't handle bwrap/pasta for `sane-vpn do` enable = false; #< `sane-vpn do ...` wraps arbitrary commands; can't sandbox
# method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin # method = "bunpen";
# net = "all"; # net = "all";
# capabilities = [ "net_admin" ]; # capabilities = [ "net_admin" ];
# extraHomePaths = [ ".config/sane-vpn" ]; # extraHomePaths = [ ".config/sane-vpn" ];

1
hosts/common/programs/v4l-utils.nix
View File

@@ -16,5 +16,6 @@
packageUnwrapped = pkgs.v4l-utils.override { packageUnwrapped = pkgs.v4l-utils.override {
withGUI = false; #< XXX(2024-09-09): gui does not cross compile due to qtbase / wrapQtAppsHook withGUI = false; #< XXX(2024-09-09): gui does not cross compile due to qtbase / wrapQtAppsHook
}; };
sandbox.method = null; #< TODO: sandbox
}; };
} }

2
modules/programs/default.nix
View File

@@ -294,7 +294,7 @@ let
}; };
sandbox.method = mkOption { sandbox.method = mkOption {
type = types.nullOr (types.enum [ "bunpen" "bwrap" "capshonly" "pastaonly" "landlock" ]); type = types.nullOr (types.enum [ "bunpen" "bwrap" "capshonly" "pastaonly" "landlock" ]);
default = null; #< TODO: default to something non-null default = "bunpen";
description = '' description = ''
how/whether to sandbox all binaries in the package. how/whether to sandbox all binaries in the package.
''; '';