programs: port extraFirejailConfig to extraConfig
This commit is contained in:
parent
da537ea8ea
commit
f148334b58
|
@ -2,9 +2,10 @@
|
||||||
{
|
{
|
||||||
sane.programs.spotify = {
|
sane.programs.spotify = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.extraFirejailConfig = ''
|
sandbox.extraConfig = [
|
||||||
keep-dev-shm
|
"--sane-sandbox-firejail-arg"
|
||||||
'';
|
"--keep-dev-shm"
|
||||||
|
];
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
# probably just songs and such (haven't checked)
|
# probably just songs and such (haven't checked)
|
||||||
".cache/spotify"
|
".cache/spotify"
|
||||||
|
|
|
@ -5,12 +5,14 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.wireshark = {
|
sane.programs.wireshark = {
|
||||||
sandbox.method = "firejail";
|
sandbox.method = "firejail";
|
||||||
sandbox.extraFirejailConfig = ''
|
sandbox.extraConfig = [
|
||||||
# somehow needs `setpcap` (makes these bounding capabilities also be inherited?)
|
# somehow needs `setpcap` (makes these bounding capabilities also be inherited?)
|
||||||
# else no interfaces appear on the main page
|
# else no interfaces appear on the main page
|
||||||
ignore caps.keep dac_override,dac_read_search,net_admin,net_raw
|
"--sane-sandbox-firejail-arg"
|
||||||
caps.keep dac_override,dac_read_search,net_admin,net_raw,setpcap
|
"--ignore=caps.keep dac_override,dac_read_search,net_admin,net_raw"
|
||||||
'';
|
"--sane-sandbox-firejail-arg"
|
||||||
|
"--caps.keep=dac_override,dac_read_search,net_admin,net_raw,setpcap"
|
||||||
|
];
|
||||||
slowToBuild = true;
|
slowToBuild = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -21,6 +23,6 @@ in
|
||||||
};
|
};
|
||||||
# the SUID wrapper can't also be a firejail (idk why? it might be that the binary's already *too* restricted).
|
# the SUID wrapper can't also be a firejail (idk why? it might be that the binary's already *too* restricted).
|
||||||
security.wrappers = lib.mkIf cfg.enabled {
|
security.wrappers = lib.mkIf cfg.enabled {
|
||||||
dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-firejailed";
|
dumpcap.source = lib.mkForce "${cfg.package}/bin/.dumpcap-sandboxed";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -55,11 +55,12 @@ let
|
||||||
in
|
in
|
||||||
makeSandboxed {
|
makeSandboxed {
|
||||||
inherit pkgName package;
|
inherit pkgName package;
|
||||||
inherit (sandbox) binMap method;
|
inherit (sandbox) binMap method extraConfig;
|
||||||
vpn = if net == "vpn" then vpn else null;
|
vpn = if net == "vpn" then vpn else null;
|
||||||
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ mediaHomePaths;
|
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ mediaHomePaths;
|
||||||
allowedRootPaths = [
|
allowedRootPaths = [
|
||||||
"/nix/store"
|
"/nix/store"
|
||||||
|
"/bin/sh"
|
||||||
"/etc" #< especially for /etc/profiles/per-user/$USER/bin
|
"/etc" #< especially for /etc/profiles/per-user/$USER/bin
|
||||||
"/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
|
"/run/current-system" #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
|
||||||
"/run/wrappers" #< SUID wrappers, in this case so that firejail can be re-entrant
|
"/run/wrappers" #< SUID wrappers, in this case so that firejail can be re-entrant
|
||||||
|
@ -67,10 +68,10 @@ let
|
||||||
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here
|
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here
|
||||||
# /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
|
# /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
|
||||||
"/run/opengl-driver"
|
"/run/opengl-driver"
|
||||||
"/run/opengl-driver-32"
|
"/run/opengl-driver-32" #< XXX: doesn't exist on aarch64?
|
||||||
"/run/user" #< particularly /run/user/$id/wayland-1, pulse, etc.
|
"/run/user" #< particularly /run/user/$id/wayland-1, pulse, etc.
|
||||||
# "/dev/dri" #< fix non-fatal "libEGL warning: wayland-egl: could not open /dev/dri/renderD128" (geary)
|
# "/dev/dri" #< fix non-fatal "libEGL warning: wayland-egl: could not open /dev/dri/renderD128" (geary)
|
||||||
] ++ mediaRootPaths;
|
] ++ mediaRootPaths ++ sandbox.extraPaths;
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
pkgSpec = with lib; types.submodule ({ config, name, ... }: {
|
pkgSpec = with lib; types.submodule ({ config, name, ... }: {
|
||||||
|
@ -236,16 +237,24 @@ let
|
||||||
then set `sandbox.binMap.umpv = "mpv";` to sandbox `bin/umpv` with the same rules as `bin/mpv`
|
then set `sandbox.binMap.umpv = "mpv";` to sandbox `bin/umpv` with the same rules as `bin/mpv`
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sandbox.extraFirejailConfig = mkOption {
|
sandbox.extraPaths = mkOption {
|
||||||
type = types.lines;
|
type = types.listOf types.str;
|
||||||
default = "";
|
default = [];
|
||||||
description = ''
|
description = ''
|
||||||
extra lines to add to this package's /etc/firejail/{pname}.local file, which is included when running any of the package's /bin files if sandbox.method is set to "firejail".
|
additional absolute paths to bind into the sandbox.
|
||||||
|
'';
|
||||||
example: sandbox.extraFirejailConfig = '''
|
};
|
||||||
whitelist ''${HOME}/.ssh
|
sandbox.extraConfig = mkOption {
|
||||||
keep-dev-shm
|
type = types.listOf types.str;
|
||||||
''';
|
default = [];
|
||||||
|
description = ''
|
||||||
|
extra arguments to pass to the sandbox wrapper.
|
||||||
|
example: [
|
||||||
|
"--sane-sandbox-firejail-arg"
|
||||||
|
"--whitelist=''${HOME}/.ssh"
|
||||||
|
"--sane-sandbox-firejail-arg"
|
||||||
|
"--keep-dev-shm"
|
||||||
|
]
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
configOption = mkOption {
|
configOption = mkOption {
|
||||||
|
@ -273,6 +282,8 @@ let
|
||||||
else
|
else
|
||||||
wrapPkg name config config.packageUnwrapped
|
wrapPkg name config config.packageUnwrapped
|
||||||
;
|
;
|
||||||
|
suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [ "bubblewrap" ]
|
||||||
|
++ lib.optionals (config.sandbox.method == "firejail") [ "firejail" ];
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
toPkgSpec = with lib; types.coercedTo types.package (p: { package = p; }) pkgSpec;
|
toPkgSpec = with lib; types.coercedTo types.package (p: { package = p; }) pkgSpec;
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
, sane-sandboxed
|
, sane-sandboxed
|
||||||
, writeTextFile
|
, writeTextFile
|
||||||
}:
|
}:
|
||||||
{ pkgName, package, method, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {} }:
|
{ pkgName, package, method, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {}, extraConfig ? [] }:
|
||||||
let
|
let
|
||||||
sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
|
sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
|
||||||
|
|
||||||
|
@ -31,7 +31,8 @@ let
|
||||||
"--sane-sandbox-method" method
|
"--sane-sandbox-method" method
|
||||||
] ++ allowPaths allowedRootPaths
|
] ++ allowPaths allowedRootPaths
|
||||||
++ allowHomePaths allowedHomePaths
|
++ allowHomePaths allowedHomePaths
|
||||||
++ lib.optionals (vpn != null) vpnItems;
|
++ lib.optionals (vpn != null) vpnItems
|
||||||
|
++ extraConfig;
|
||||||
|
|
||||||
# two ways i could wrap a package in a sandbox:
|
# two ways i could wrap a package in a sandbox:
|
||||||
# 1. package.overrideAttrs, with `postFixup`.
|
# 1. package.overrideAttrs, with `postFixup`.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user