colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-sandboxed: add support for landlock backend

Browse Source
This commit is contained in:
Colin
2024-01-27 03:39:26 +00:00
parent e21dbd507d
commit ef66d2ec72
3 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/programs/default.nix
View File

@@ -58,7 +58,7 @@ let
"/run/opengl-driver" "/run/opengl-driver"
"/run/opengl-driver-32" #< XXX: doesn't exist on aarch64? "/run/opengl-driver-32" #< XXX: doesn't exist on aarch64?
"/run/user" #< particularly /run/user/$id/wayland-1, pulse, etc. "/run/user" #< particularly /run/user/$id/wayland-1, pulse, etc.
"/run/secrets/home" "/run/secrets/home" #< TODO: this could be restricted per-app based on the HOME paths they need
"/usr/bin/env" "/usr/bin/env"
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary) # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
# but everything seems to gracefully fallback to *something* (MESA software rendering?) # but everything seems to gracefully fallback to *something* (MESA software rendering?)
@@ -215,8 +215,8 @@ let
''; '';
}; };
sandbox.method = mkOption { sandbox.method = mkOption {
type = types.nullOr (types.enum [ "bwrap" "firejail" ]); type = types.nullOr (types.enum [ "bwrap" "firejail" "landlock" ]);
default = null; #< TODO: default to bwrap default = null; #< TODO: default to something non-null
description = '' description = ''
how/whether to sandbox all binaries in the package. how/whether to sandbox all binaries in the package.
''; '';

20
modules/programs/sane-sandboxed
View File

@@ -14,6 +14,7 @@ dns=()
method= method=
firejailFlags=() firejailFlags=()
bwrapFlags=() bwrapFlags=()
landlockPaths=
debug() { debug() {
[ -n "$SANE_SANDBOX_DEBUG" ] && printf "[debug] %s" "$1" >&2 [ -n "$SANE_SANDBOX_DEBUG" ] && printf "[debug] %s" "$1" >&2
@@ -237,6 +238,25 @@ bwrapExec() {
} }
## LANDLOCK BACKEND
landlockIngestRootPath() {
# TODO: escape colons
landlockPaths="$landlockPaths:$1"
}
landlockIngestHomePath() {
landlockIngestRootPath "$HOME/$1"
}
landlockIngestProfile() {
debug "landlock doesn't implement profiles"
}
landlockIngestCapability() {
debug "landlock doesn't implement capabilities"
}
landlockExec() {
PATH="$PATH:@landlockSandboxer@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec sandboxer "${cliArgs[@]}"
}
## BACKEND HANDOFF ## BACKEND HANDOFF
test -n "$SANE_SANDBOX_PREPEND" && parseArgs "${SANE_SANDBOX_PREPEND[@]}" test -n "$SANE_SANDBOX_PREPEND" && parseArgs "${SANE_SANDBOX_PREPEND[@]}"

2
modules/programs/sane-sandboxed.nix
View File

@@ -1,6 +1,7 @@
{ lib, stdenv { lib, stdenv
, bubblewrap , bubblewrap
, firejail , firejail
, landlock-sandboxer
, runtimeShell , runtimeShell
, substituteAll , substituteAll
, profileDir ? "/share/sane-sandboxed/profiles" , profileDir ? "/share/sane-sandboxed/profiles"
@@ -10,6 +11,7 @@ let
sane-sandboxed = substituteAll { sane-sandboxed = substituteAll {
src = ./sane-sandboxed; src = ./sane-sandboxed;
inherit bubblewrap firejail runtimeShell; inherit bubblewrap firejail runtimeShell;
landlockSandboxer = landlock-sandboxer;
firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail"; firejailProfileDirs = "/run/current-system/sw/etc/firejail /etc/firejail ${firejail}/etc/firejail";
# /run might be unavailable inside a container, so to support nested containers # /run might be unavailable inside a container, so to support nested containers
# fallback to a profile dir adjacent to the sane-sandboxed binary # fallback to a profile dir adjacent to the sane-sandboxed binary