713a85b3d3
fix bad --add-flags invocations
...
makeBinaryWrapper was updated some months ago to apply shell-style parsing to --add-flags; thats not what you want most of the time
2025-07-28 07:18:32 +00:00
19a14cc8ad
ssh: migrate to using ssh-agent
...
this provides better security, and the possibility of easier dependency injecting (e.g. coercing a program to use some _specific_ ssh key, even when not designed for it)'
2025-06-05 19:09:30 +00:00
b11e329351
make host details like host_pubkey, wg-home.ip be optional
2025-06-01 20:08:49 +00:00
38624342bb
modules/programs: implement a whitelistSecurityKeys sandboxing option
2025-05-04 20:49:54 +00:00
77f62d247f
nixpkgs: 2025-01-28 -> 2025-02-07
2025-02-08 12:26:27 +00:00
0d6ae1cc3a
nixpkgs: 0-unstable-2025-01-27 -> 0-unstable-2025-01-28
2025-01-28 23:23:48 +00:00
7f1be0d933
systemctl: fix sandboxing
2025-01-21 05:51:42 +00:00
9fccd2cf86
programs: gnome-frog: split into own file; hopefully fix dbus sandboxing
2025-01-14 23:31:41 +00:00
3fffc50975
modules/programs: allow access to the ProxyResolver portal
2025-01-11 00:45:27 +00:00
a3ebeb0543
modules/programs: enable org.freedesktop.DBus.Introspectable.Introspect for portal users
2025-01-11 00:45:27 +00:00
4c56ea3e6b
modules/programs: add more portal sandboxing options, and MPRIS option
2025-01-11 00:45:27 +00:00
65da9bd004
fractal: restrict dbus access a bit tighter
2025-01-06 11:25:35 +00:00
2a1d6fff08
programs: refactor whitelistDbus
2025-01-06 10:02:21 +00:00
3fc6571294
programs: don't persist mesaCacheDir by default
...
and explicitly add it to every program that uses mesa.
wow, that's a *lot*
2025-01-02 05:36:19 +00:00
bc15a876ff
programs: place TMPDIR on ephemeral storage for select programs which demand a lot of it
2024-12-17 10:26:34 +00:00
e145a8f003
assorted: remove the mesa cache for apps which aren't using it
2024-12-16 01:30:32 +00:00
cec413720e
programs: change the default mesa persistence directory
2024-12-16 00:08:27 +00:00
08ca65c2a4
programs: persist mesa dirs for every wayland application
...
this is certainly *not* perfect (it incorrectly persists some wayland utils like wtype; it has the wrong name for e.g. grimshot), but it's a good start
2024-12-16 00:06:31 +00:00
a0ade73638
modules/programs: allow using custom mesa cache dirs, when sandboxed
2024-12-15 23:31:50 +00:00
3da9874176
bunpen: kill --bunpen-{home,run}-path in favor of shell-style expansion/parameterization
2024-12-15 23:03:52 +00:00
4788170e8a
programs: ensure gnome-keyring is started before the things which need it
...
notably, this seems to ensure dissent reliably logs on at start
2024-12-14 02:06:14 +00:00
13bc81fb6a
programs: patch udev rules more effectively
2024-12-09 23:13:22 +00:00
ebb7d0b4e1
treewide: replace runCommandLocal with runCommand + preferLocalBuild
...
the former prevents all substitution; the latter is just a hint to Nix on how to prioritize available builders
2024-12-09 10:35:24 +00:00
fc239cfa34
modules/programs: support mime.priority when handling duplicated env keys
2024-12-03 02:18:48 +00:00
de182e117d
modules/programs: enable even more /dev/video devices inside the relevant sandboxes
2024-11-29 18:33:35 +00:00
02286a24ba
modules/programs: add more /dev/video devices required by pinephone-pro rear camera
2024-11-29 18:29:35 +00:00
1f84fc4b2b
programs: port a few programs from dconf -> gsettings, tested on desko
2024-11-07 05:06:44 +00:00
3a9e4af6da
modules/programs: introduce a gsettings config option, which so far routes to dconf but later will stand alone
2024-11-07 03:30:34 +00:00
0dff9f993f
browserpass: sandbox
2024-10-29 08:21:42 +00:00
864e75afce
sanebox: purge
2024-10-29 05:59:01 +00:00
1c57b9ce9e
programs/sandbox: include udev rules in the sandboxed program output
...
notably, this fixes feedbackd so that the PPP haptics/vibrator is writable by the user
2024-10-22 07:01:18 +00:00
dbc29db5fa
modules/programs: update docs for tryKeepUsers
2024-10-16 00:18:06 +00:00
0744237c13
programs: fix most service invokers (sway, nwg-panel, etc) to use systemd
2024-10-03 03:20:05 +00:00
61df81291b
refactor: optimize eval time
...
lifting `let` bindings up where possible helps reduce the number of thunks nix has to allocate. this patch only does that by 0.3%-ish, though
2024-10-01 03:54:44 +00:00
0c270fe4a3
WIP: sane.fs consumers: avoid wantedBy/wantedBeforeBy
2024-09-30 10:19:39 +00:00
edb665abd0
users: add a systemd backend for managing services
2024-09-28 03:38:46 +00:00
ea3eaf048e
programs: sandbox with bunpen *by default*; manually opt out or opt to a different sandboxer where required
2024-09-21 23:00:49 +00:00
208b634040
programs/sandboxing: add required args to use pasta
2024-09-21 12:21:11 +00:00
8979ff0eec
bunpen: plumb pasta related arguments into make-sandboxed
...
for testing only: these options don't yet have the intended effect
2024-09-19 23:54:43 +00:00
034c3f987e
programs/make-sandboxed: fix for apps which ship thumbnailers (i.e. gnome papers)
2024-09-17 02:33:51 +00:00
e9decbbf40
sandboxing: add a global toggle to disable sandboxing
2024-09-16 00:38:02 +00:00
b5f9ba62d0
camera: fix sandboxing for pipewire (so snapshot can open the camera), and share that with megapixels (which opens it directly)
...
N.B. snapshot (pipewire) doesn't work with the current kernel deployment; it requires linux-postmarketos-allwinner and even then only the front camera works (at about 1 fps)
this wasn't always the case: i believe that once, the rear camera worked as well. although now i think about it, i'm not positive of that
2024-09-15 11:14:23 +00:00
6e0c83b4f3
modules/programs: don't install bunpen/sanebox unless some program actually requires it
2024-09-14 23:10:19 +00:00
b43ee23459
firefox: allow webcam access
2024-09-13 00:02:48 +00:00
3ef98a5ab3
modules/programs: support "sandbox.keepIpc = true"
2024-09-07 22:10:11 +00:00
8255e419be
modules/programs: rename "keepUsers" -> "tryKeepUsers"
2024-09-06 06:32:49 +00:00
6e30527688
modules/programs: simplfiy the common combination of keeping pids AND /proc by introducing "keepPidsAndProc"
2024-09-06 04:18:46 +00:00
9340f52df1
modules/programs: rename isolatePids -> keepPids, isolateUsers -> keepUsers
...
this follows my explicit whitelisting elsewhere
2024-09-06 04:06:42 +00:00
850c975321
modules/programs: when sandboxing, use makeBinaryWrapper if supported
2024-09-06 01:17:21 +00:00
6ff35b4366
dbus: place the bus in a subdirectory for better sandboxing
2024-09-04 13:04:20 +00:00
