modules/programs: sandboxing: allow specifying individual /run/user/$uid paths to expose to the sandbox

2024-02-12 12:17:37 +00:00 · 2024-02-12 12:17:37 +00:00 · eee3e138ff
commit eee3e138ff
parent f61cd17e99
1 changed files with 17 additions and 2 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -43,11 +43,18 @@ let
        vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
        sandboxProfilesFor = userName: let
          homeDir = config.sane.users."${userName}".home;
+          uid = config.users.users."${userName}".uid;
+          xdgRuntimeDir = "/run/user/${builtins.toString uid}";
          fullHomePaths = lib.optionals (userName != null) (
            builtins.map
              (p: "${homeDir}/${p}")
              (builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ sandbox.extraHomePaths)
          );
+          fullRuntimePaths = lib.optionals (userName != null) (
+            builtins.map
+              (p: "${xdgRuntimeDir}/${p}")
+              sandbox.extraRuntimePaths
+          );
        in makeProfile {
          inherit pkgName;
          inherit (sandbox)
@ -77,10 +84,9 @@ let
            # /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
            "/run/opengl-driver"
            "/run/opengl-driver-32"  #< XXX: doesn't exist on aarch64?
-            "/run/user"  #< particularly /run/user/$id/wayland-1, pulse, etc.
            "/run/secrets/home"  #< TODO: this could be restricted per-app based on the HOME paths they need
            "/usr/bin/env"
-          ] ++ sandbox.extraPaths ++ fullHomePaths;
+          ] ++ sandbox.extraPaths ++ fullHomePaths ++ fullRuntimePaths;
        };
      in
        makeSandboxed {
@ -346,6 +352,15 @@ let
          additional home-relative paths to bind into the sandbox.
        '';
      };
+      sandbox.extraRuntimePaths = mkOption {
+        type = types.listOf types.str;
+        default = [ "/" ];  #< TODO: reduce to just what's needed
+        description = ''
+          additional $XDG_RUNTIME_DIR-relative paths to bind into the sandbox.
+          e.g. `[ "bus" "wayland-1" ]` to bind the dbus and wayland sockets.
+          or `[ "/" ]` to bind all of XDG_RUNTIME_DIR.
+        '';
+      };
      sandbox.extraConfig = mkOption {
        type = types.listOf types.str;
        default = [];