colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: sandbox with bunpen *by default*; manually opt out or opt to a different sandboxer where required

Browse Source
This commit is contained in:
Colin
2024-09-21 23:00:49 +00:00
parent b4662c838e
commit ea3eaf048e
9 changed files with 21 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
hosts/common/programs/assorted.nix
View File

@@ -677,7 +677,7 @@ in
# TODO: probably need /dev and such
];
gnome-screenshot = {};
gnome-screenshot.sandbox.method = null;
google-chrome.sandbox.enable = false; # google-chrome is my "pleeeaaase work" fallback, so let it do anything.
@@ -805,7 +805,7 @@ in
# provides `ip`, `routel`, `bridge`, others.
# landlock works fine for most of these, but `ip netns exec` wants to attach to an existing namespace (which requires sudo)
# and that means we can't use ANY sandboxer for it.
iproute2.sandbox.enable = false;
iproute2.sandbox.method = null; #< TODO: sandbox
# iproute2.sandbox.net = "all";
# iproute2.sandbox.capabilities = [ "net_admin" ];
# iproute2.sandbox.extraPaths = [
@@ -1127,7 +1127,7 @@ in
# snapshot camera, based on libcamera
# TODO: enable dma heaps for more efficient buffer sharing: <https://gitlab.com/postmarketOS/pmaports/-/issues/2789>
snapshot = {};
snapshot.sandbox.method = null; #< TODO: sandbox
sops.sandbox.method = "bunpen";
sops.sandbox.extraHomePaths = [
@@ -1210,7 +1210,7 @@ in
tumiki-fighters.sandbox.whitelistWayland = true;
tumiki-fighters.sandbox.whitelistX = true;
util-linux.sandbox.enable = false; #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries
util-linux.sandbox.method = null; #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries
unzip.sandbox.method = "bunpen";
unzip.sandbox.autodetectCliPaths = "existingOrParent";

1
hosts/common/programs/bunpen.nix
View File

@@ -13,6 +13,7 @@ in
'';
});
sandbox.enable = false;
sandbox.method = null; #< TODO: avoids infinite recursion in the sane.programs system
};
environment.pathsToLink = lib.mkIf cfg.enabled [ "/libexec/bunpen" ];

1
hosts/common/programs/gst-launch.nix
View File

@@ -20,5 +20,6 @@
pipewire
]);
});
sandbox.method = null; #< TODO: sandbox
};
}

4
hosts/common/programs/libcamera.nix
View File

@@ -3,7 +3,9 @@ let
cfg = config.sane.programs.libcamera;
in
{
sane.programs.libcamera = {};
sane.programs.libcamera = {
sandbox.method = null; #< TODO: sandbox
};
services.udev.extraRules = lib.mkIf cfg.enabled ''
# libcamera (snapshot, millipixels, ...)
# see: <https://gitlab.com/postmarketOS/pmaports/-/merge_requests/5541>

1
hosts/common/programs/nix.nix
View File

@@ -2,6 +2,7 @@
{
sane.programs.nix = {
packageUnwrapped = pkgs.nixVersions.latest;
sandbox.method = null; #< TODO: sandbox ?
env.NIXPKGS_ALLOW_UNFREE = "1"; #< FUCK OFF YOU'RE SO ANNOYING
persist.byStore.plaintext = [
# ~/.cache/nix can become several GB; persisted to save RAM

2
hosts/common/programs/rofi/default.nix
View File

@@ -139,7 +139,7 @@ in
srcRoot = ./.;
pkgs = [ "sane-open" ];
};
sandbox.enable = false; #< trivial script, and all our deps are sandboxed
sandbox.method = null; #< trivial script, and all our deps are sandboxed
suggestedPrograms = [
"sane-open"

17
hosts/common/programs/sane-scripts.nix
View File

@@ -73,7 +73,7 @@ in
# the idea of this script is to `cd` into a fresh clone...
# but that's an ephemeral operation that would be lost when the sandbox closes.
"sane-scripts.clone".sandbox.enable = false;
"sane-scripts.clone".sandbox.method = null; #< TODO: sandbox
"sane-scripts.dev-cargo-loop".sandbox = {
method = "bwrap";
@@ -124,16 +124,15 @@ in
".persist/private"
];
};
"sane-scripts.private-lock".sandbox.enable = false;
"sane-scripts.private-unlock".sandbox.enable = false;
"sane-scripts.private-lock".sandbox.method = null;
"sane-scripts.private-unlock".sandbox.method = null;
"sane-scripts.reclaim-boot-space".sandbox = {
method = "bunpen";
extraPaths = [ "/boot" ];
};
# it's just a thin wrapper around rsync, which is already sandboxed
"sane-scripts.rcp".sandbox.enable = false;
"sane-scripts.rcp".sandbox.enable = false; # it's just a thin wrapper around rsync, which is already sandboxed
# but make sure rsync is always on PATH, so that we actually do get sandboxing :)
"sane-scripts.rcp".suggestedPrograms = [ "rsync" ];
@@ -166,7 +165,7 @@ in
];
# sane-secrets-update-keys is a thin wrapper around sops + some utilities.
# really i should sandbox just the utilities
"sane-scripts.secrets-update-keys".sandbox.enable = false;
"sane-scripts.secrets-update-keys".sandbox.method = null;
"sane-scripts.secrets-update-keys".suggestedPrograms = [
"findutils"
"sops"
@@ -196,7 +195,7 @@ in
"sane-scripts.sudo-redirect".sandbox.enable = false;
"sane-scripts.sync-music" = {};
"sane-scripts.sync-from-iphone" = {};
"sane-scripts.sync-from-iphone".sandbox.method = null; #< TODO
"sane-scripts.tag-media".suggestedPrograms = [
"exiftool" #< for (slightly) better sandboxing than default exiftool
@@ -228,8 +227,8 @@ in
{}
(builtins.attrNames config.sane.vpn);
"sane-scripts.vpn".sandbox = {
enable = false; #< bwrap can't handle `ip link`, and landlock can't handle bwrap/pasta for `sane-vpn do`
# method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin
enable = false; #< `sane-vpn do ...` wraps arbitrary commands; can't sandbox
# method = "bunpen";
# net = "all";
# capabilities = [ "net_admin" ];
# extraHomePaths = [ ".config/sane-vpn" ];

1
hosts/common/programs/v4l-utils.nix
View File

@@ -16,5 +16,6 @@
packageUnwrapped = pkgs.v4l-utils.override {
withGUI = false; #< XXX(2024-09-09): gui does not cross compile due to qtbase / wrapQtAppsHook
};
sandbox.method = null; #< TODO: sandbox
};
}

2
modules/programs/default.nix
View File

@@ -294,7 +294,7 @@ let
};
sandbox.method = mkOption {
type = types.nullOr (types.enum [ "bunpen" "bwrap" "capshonly" "pastaonly" "landlock" ]);
default = null; #< TODO: default to something non-null
default = "bunpen";
description = ''
how/whether to sandbox all binaries in the package.
'';