colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-sandboxed: add support for landlock backend

Browse Source
This commit is contained in:
Colin 2024-01-27 03:39:26 +00:00
parent e21dbd507d
commit ef66d2ec72
3 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
modules/programs/default.nix
View File

@ -58,7 +58,7 @@ let
"/run/opengl-driver"
"/run/opengl-driver-32" #< XXX: doesn't exist on aarch64?
"/run/user" #< particularly /run/user/$id/wayland-1, pulse, etc.
"/run/secrets/home"
"/run/secrets/home" #< TODO: this could be restricted per-app based on the HOME paths they need
"/usr/bin/env"
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
# but everything seems to gracefully fallback to *something* (MESA software rendering?)
@ -215,8 +215,8 @@ let
'';
};
sandbox.method = mkOption {
type = types.nullOr (types.enum [ "bwrap" "firejail" ]);
default = null; #< TODO: default to bwrap
type = types.nullOr (types.enum [ "bwrap" "firejail" "landlock" ]);
default = null; #< TODO: default to something non-null
description = ''
how/whether to sandbox all binaries in the package.
'';

20
modules/programs/sane-sandboxed
View File

@ -14,6 +14,7 @@ dns=()
method=
firejailFlags=()
bwrapFlags=()
landlockPaths=
debug() {
[ -n "$SANE_SANDBOX_DEBUG" ] && printf "[debug] %s" "$1" >&2
@ -237,6 +238,25 @@ bwrapExec() {
}
## LANDLOCK BACKEND
landlockIngestRootPath() {
# TODO: escape colons
landlockPaths="$landlockPaths:$1"
}
landlockIngestHomePath() {
landlockIngestRootPath "$HOME/$1"
}
landlockIngestProfile() {
debug "landlock doesn't implement profiles"
}
landlockIngestCapability() {
debug "landlock doesn't implement capabilities"
}
landlockExec() {
PATH="$PATH:@landlockSandboxer@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec sandboxer "${cliArgs[@]}"
}
## BACKEND HANDOFF
test -n "$SANE_SANDBOX_PREPEND" && parseArgs "${SANE_SANDBOX_PREPEND[@]}"

2
modules/programs/sane-sandboxed.nix
View File

@ -1,6 +1,7 @@
{ lib, stdenv
, bubblewrap
, firejail
, landlock-sandboxer
, runtimeShell
, substituteAll
, profileDir ? "/share/sane-sandboxed/profiles"
@ -10,6 +11,7 @@ let
sane-sandboxed = substituteAll {
src = ./sane-sandboxed;
inherit bubblewrap firejail runtimeShell;
landlockSandboxer = landlock-sandboxer;
firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail";
# /run might be unavailable inside a container, so to support nested containers
# fallback to a profile dir adjacent to the sane-sandboxed binary