programs: port extraFirejailConfig to extraConfig

2024-01-23 14:30:42 +00:00 · 2024-01-23 14:30:42 +00:00 · f148334b58
commit f148334b58
parent da537ea8ea
4 changed files with 37 additions and 22 deletions
--- a/hosts/common/programs/spotify.nix
+++ b/hosts/common/programs/spotify.nix
@ -2,9 +2,10 @@
 {
  sane.programs.spotify = {
    sandbox.method = "bwrap";
-    sandbox.extraFirejailConfig = ''
-      keep-dev-shm
-    '';
+    sandbox.extraConfig = [
+      "--sane-sandbox-firejail-arg"
+      "--keep-dev-shm"
+    ];
    persist.byStore.plaintext = [
      # probably just songs and such (haven't checked)
      ".cache/spotify"
--- a/hosts/common/programs/wireshark.nix
+++ b/hosts/common/programs/wireshark.nix
@ -5,12 +5,14 @@ in
 {
  sane.programs.wireshark = {
    sandbox.method = "firejail";
-    sandbox.extraFirejailConfig = ''
+    sandbox.extraConfig = [
      # somehow needs `setpcap` (makes these bounding capabilities also be inherited?)
      # else no interfaces appear on the main page
-      ignore caps.keep dac_override,dac_read_search,net_admin,net_raw
-      caps.keep dac_override,dac_read_search,net_admin,net_raw,setpcap
-    '';
+      "--sane-sandbox-firejail-arg"
+      "--ignore=caps.keep dac_override,dac_read_search,net_admin,net_raw"
+      "--sane-sandbox-firejail-arg"
+      "--caps.keep=dac_override,dac_read_search,net_admin,net_raw,setpcap"
+    ];
    slowToBuild = true;
  };

@ -21,6 +23,6 @@ in
  };
  # the SUID wrapper can't also be a firejail (idk why? it might be that the binary's already *too* restricted).
  security.wrappers = lib.mkIf cfg.enabled {
-    dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-firejailed";
+    dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-sandboxed";
  };
 }
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -55,11 +55,12 @@ let
      in
        makeSandboxed {
          inherit pkgName package;
-          inherit (sandbox) binMap method;
+          inherit (sandbox) binMap method extraConfig;
          vpn = if net == "vpn" then vpn else null;
          allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ mediaHomePaths;
          allowedRootPaths = [
            "/nix/store"
+            "/bin/sh"
            "/etc"  #< especially for /etc/profiles/per-user/$USER/bin
            "/run/current-system"  #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
            "/run/wrappers"  #< SUID wrappers, in this case so that firejail can be re-entrant
@ -67,10 +68,10 @@ let
            "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here
            # /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
            "/run/opengl-driver"
-            "/run/opengl-driver-32"
+            "/run/opengl-driver-32"  #< XXX: doesn't exist on aarch64?
            "/run/user"  #< particularly /run/user/$id/wayland-1, pulse, etc.
            # "/dev/dri"  #< fix non-fatal "libEGL warning: wayland-egl: could not open /dev/dri/renderD128" (geary)
-          ] ++ mediaRootPaths;
+          ] ++ mediaRootPaths ++ sandbox.extraPaths;
        }
  );
  pkgSpec = with lib; types.submodule ({ config, name, ... }: {
@ -236,16 +237,24 @@ let
            then set `sandbox.binMap.umpv = "mpv";` to sandbox `bin/umpv` with the same rules as `bin/mpv`
        '';
      };
-      sandbox.extraFirejailConfig = mkOption {
-        type = types.lines;
-        default = "";
+      sandbox.extraPaths = mkOption {
+        type = types.listOf types.str;
+        default = [];
        description = ''
-          extra lines to add to this package's /etc/firejail/{pname}.local file, which is included when running any of the package's /bin files if sandbox.method is set to "firejail".
-
-          example: sandbox.extraFirejailConfig = '''
-            whitelist ''${HOME}/.ssh
-            keep-dev-shm
-          ''';
+          additional absolute paths to bind into the sandbox.
+        '';
+      };
+      sandbox.extraConfig = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          extra arguments to pass to the sandbox wrapper.
+          example: [
+            "--sane-sandbox-firejail-arg"
+            "--whitelist=''${HOME}/.ssh"
+            "--sane-sandbox-firejail-arg"
+            "--keep-dev-shm"
+          ]
        '';
      };
      configOption = mkOption {
@ -273,6 +282,8 @@ let
      else
        wrapPkg name config config.packageUnwrapped
        ;
+      suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [ "bubblewrap" ]
+        ++ lib.optionals (config.sandbox.method == "firejail") [ "firejail" ];
    };
  });
  toPkgSpec = with lib; types.coercedTo types.package (p: { package = p; }) pkgSpec;
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@ -4,7 +4,7 @@
 , sane-sandboxed
 , writeTextFile
 }:
-{ pkgName, package, method, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {} }:
+{ pkgName, package, method, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {}, extraConfig ? [] }:
 let
  sane-sandboxed' = sane-sandboxed.meta.mainProgram;  #< load by bin name to reduce rebuilds

@ -31,7 +31,8 @@ let
    "--sane-sandbox-method" method
  ] ++ allowPaths allowedRootPaths
    ++ allowHomePaths allowedHomePaths
-    ++ lib.optionals (vpn != null) vpnItems;
+    ++ lib.optionals (vpn != null) vpnItems
+    ++ extraConfig;

  # two ways i could wrap a package in a sandbox:
  # 1. package.overrideAttrs, with `postFixup`.