colin
/
nix-files
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
6,197 Commits 119 Branches 0 Tags 14 MiB
Commit Graph

167 Commits

Author SHA1 Message Date
Colin b5502ea401 sanebox: remove --sanebox-cache-symlink flag 2024-05-15 23:59:38 +00:00
Colin 1211023c55 modules/programs: remove dead code from per-user profiles 2024-05-15 23:58:10 +00:00
Colin b4229ecb1e sanebox: load the link cache from a static /etc path instead of via CLI args 2024-05-15 23:55:15 +00:00
Colin 348837ff4a programs: sandboxing: replace profiles with raw CLI args 2024-05-15 09:13:20 +00:00
Colin 17eaa7446a sanebox: remove all profile-related features except for direct, path-based profile loading 2024-05-15 09:13:20 +00:00
Colin 530664294a programs: sandbox: always specify --sanebox-profile-dir instead of loading from XDG_DATA_DIRS 2024-05-15 08:54:16 +00:00
Colin b649071d98 programs: sandboxing: make the profiles be generic across users 
this is a step toward making the profile not even be dynamically loaded, since its content is no longer dynamic :)
 2024-05-15 08:48:09 +00:00
Colin ea2653b7ce programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first 2024-05-15 08:20:09 +00:00
Colin 4c1b1282d6 modules/programs: sandbox: be compatible with systemd resolved again 2024-05-15 02:57:40 +00:00
Colin adfaa7f9c1 sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00
Colin bee3eea040 modules/programs: sandbox: remove no-longer-needed /run/systemd/resolve from sandbox 2024-05-14 04:18:29 +00:00
Colin f3106ee316 programs: maxBuildCost: fix to actually build everything by default 2024-05-13 22:57:40 +00:00
Colin 43d32641f3 programs: buildCost: introduce a new level between `min` and `light` 2024-05-13 22:45:33 +00:00
Colin 46d95805e9 programs: simplify sandbox symlink closure code 2024-05-13 07:49:00 +00:00
Colin bd3e06982b sane-sandboxed: tweak symlink caching to allow /run/current-system to be bind-mounted instead of symlinked 2024-05-13 02:11:47 +00:00
Colin 660ba94c7c sane-sandboxed: introduce a symlink cache to reduce `readlink` calls even more 
it's all a bit silly. i still do a bunch of -L tests: i just avoid the costly readlink fork :|
 2024-05-13 01:31:30 +00:00
Colin 2eea562d1f sandbox: remove unused "binMap" option 2024-04-15 19:56:33 +00:00
Colin 0385c09f23 sane-sandboxed: split out into an actual package 2024-04-15 18:57:22 +00:00
Colin 4b22fd95bf introduce 'moby-min' host variant for the quickest deployment (no webkitgtk) 2024-04-13 20:29:24 +00:00
Colin febedb9323 nits: update `--replace` uses to `--replace-{fail,quiet}` as appropriate 2024-03-24 12:49:18 +00:00
Colin 03fbb780b2 sane.programs: sandbox: refactor extraRuntimePaths computation 2024-03-24 12:03:38 +00:00
Colin 9c0b175260 swaync: allow toggling of s6 services 2024-03-24 11:54:12 +00:00
Colin 6102a0301d sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox 2024-03-23 16:37:22 +00:00
Colin 5205251f6f programs: xwayland: sandbox it without exposing net access 2024-03-23 15:33:23 +00:00
Colin 8c48adefa5 pipewire: move sockets into a subdirectory for easier sandboxing 2024-03-23 13:34:13 +00:00
Colin 70b5c57b50 modules/programs: enforce (or rather document) a stricter schema 
this should make it easier to switch to a different service manager
 2024-03-21 17:16:01 +00:00
Colin b25df1d997 sane-sandboxed: fix capabilities example 2024-03-14 01:36:46 +00:00
Colin 4510352c07 sane-sandboxed: implement --sane-sandbox-no-portal flag 2024-03-13 04:49:48 +00:00
Colin 430592632c sane-sandboxed: add a help message 2024-03-13 04:49:48 +00:00
Colin 56aca78d84 make-sandboxed: also sandbox the `.lib` output of a package 2024-03-13 04:49:48 +00:00
Colin 8029744c90 modules/programs: don't expose *all* of /run/secrets/home to every program 
this was actually causing a lot of bwrap errors because that directory's not user-readable

turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following
 2024-03-02 18:51:39 +00:00
Colin a45e42910d make-sandboxed: generalize runCommand patch to handle any derivation, called with or without callPackage 2024-03-02 07:11:45 +00:00
Colin db89ac88f0 sane-sandboxed: add new `--sane-sandbox-keep-namespace all` option 2024-03-01 20:48:56 +00:00
Colin 40e30cf2f8 programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that 2024-02-28 17:39:00 +00:00
Colin 812c0c8029 packages: reduce the number of packages which are using inplace sandbox wrapping 2024-02-28 17:35:40 +00:00
Colin a4248fd5cc make-sandboxed: don't try to wrap directories 
whoops. test -x is true for directories
 2024-02-28 16:28:25 +00:00
Colin b302113fc0 modules/programs: require manual definition; don't auto-populate attrset 
this greatly decreases nix eval time
 2024-02-28 13:35:09 +00:00
Colin 6ef729bbaf assorted: prefer runCommandLocal over runCommand where it makes sense 2024-02-27 22:26:56 +00:00
Colin 8f424dcd5a programs: sandboxing: link /etc into sandboxed programs 
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
 2024-02-27 22:25:17 +00:00
Colin d2df668c9e modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts> 2024-02-25 12:00:00 +00:00
Colin f807d7c0a2 modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead 
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
 2024-02-25 08:15:39 +00:00
Colin 73b2594d9b programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent" 2024-02-25 01:59:01 +00:00
Colin a55dc5332d modules/programs: sane-sandboxed: introduce "existingOrParent" autodetect-cli option 
some programs will want this, to create directories by name; e.g. archive managers
 2024-02-25 01:48:10 +00:00
Colin 86108518da modules/programs: sane-sandboxed: add a new "existingFile" option for the cli autodetect 2024-02-25 01:43:39 +00:00
Colin 0448df51e3 modules/programs: sane-sandboxed: add a --sane-sandbox-dry-run flag 2024-02-24 12:00:58 +00:00
Colin 8e3eed7d51 modules/programs: sane-sandboxed: factor out the actual execution of the sandbox/program into the toplevel 
this will make it easier to intercept
 2024-02-24 11:57:42 +00:00
Colin 88a70b41f1 modules/programs: handle more symlink forms when calculating a program's sandbox closure 2024-02-24 11:47:39 +00:00
Colin 6f59254a22 modules/programs: fix symlink following 2024-02-24 05:36:44 +00:00
Colin 170eeeacc4 programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure 2024-02-23 07:06:29 +00:00
Colin 2a528a5d8e sane-sandboxed: leave a note about future mount work 2024-02-21 16:08:42 +00:00