colin
/
nix-files
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
6,150 Commits 119 Branches 0 Tags 13 MiB
Commit Graph

82 Commits

Author SHA1 Message Date
Colin 4c1b1282d6 modules/programs: sandbox: be compatible with systemd resolved again 2024-05-15 02:57:40 +00:00
Colin adfaa7f9c1 sane-sandboxed -> sanebox 2024-05-15 01:41:40 +00:00
Colin bee3eea040 modules/programs: sandbox: remove no-longer-needed /run/systemd/resolve from sandbox 2024-05-14 04:18:29 +00:00
Colin f3106ee316 programs: maxBuildCost: fix to actually build everything by default 2024-05-13 22:57:40 +00:00
Colin 43d32641f3 programs: buildCost: introduce a new level between `min` and `light` 2024-05-13 22:45:33 +00:00
Colin 46d95805e9 programs: simplify sandbox symlink closure code 2024-05-13 07:49:00 +00:00
Colin bd3e06982b sane-sandboxed: tweak symlink caching to allow /run/current-system to be bind-mounted instead of symlinked 2024-05-13 02:11:47 +00:00
Colin 660ba94c7c sane-sandboxed: introduce a symlink cache to reduce `readlink` calls even more 
it's all a bit silly. i still do a bunch of -L tests: i just avoid the costly readlink fork :|
 2024-05-13 01:31:30 +00:00
Colin 2eea562d1f sandbox: remove unused "binMap" option 2024-04-15 19:56:33 +00:00
Colin 0385c09f23 sane-sandboxed: split out into an actual package 2024-04-15 18:57:22 +00:00
Colin 4b22fd95bf introduce 'moby-min' host variant for the quickest deployment (no webkitgtk) 2024-04-13 20:29:24 +00:00
Colin 03fbb780b2 sane.programs: sandbox: refactor extraRuntimePaths computation 2024-03-24 12:03:38 +00:00
Colin 9c0b175260 swaync: allow toggling of s6 services 2024-03-24 11:54:12 +00:00
Colin 6102a0301d sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox 2024-03-23 16:37:22 +00:00
Colin 5205251f6f programs: xwayland: sandbox it without exposing net access 2024-03-23 15:33:23 +00:00
Colin 8c48adefa5 pipewire: move sockets into a subdirectory for easier sandboxing 2024-03-23 13:34:13 +00:00
Colin 70b5c57b50 modules/programs: enforce (or rather document) a stricter schema 
this should make it easier to switch to a different service manager
 2024-03-21 17:16:01 +00:00
Colin 8029744c90 modules/programs: don't expose *all* of /run/secrets/home to every program 
this was actually causing a lot of bwrap errors because that directory's not user-readable

turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following
 2024-03-02 18:51:39 +00:00
Colin 40e30cf2f8 programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that 2024-02-28 17:39:00 +00:00
Colin b302113fc0 modules/programs: require manual definition; don't auto-populate attrset 
this greatly decreases nix eval time
 2024-02-28 13:35:09 +00:00
Colin 73b2594d9b programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent" 2024-02-25 01:59:01 +00:00
Colin 88a70b41f1 modules/programs: handle more symlink forms when calculating a program's sandbox closure 2024-02-24 11:47:39 +00:00
Colin 6f59254a22 modules/programs: fix symlink following 2024-02-24 05:36:44 +00:00
Colin 170eeeacc4 programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure 2024-02-23 07:06:29 +00:00
Colin 5f1036118f modules/programs: sandboxing: add a "whitelistX" option 2024-02-15 00:09:16 +00:00
Colin 22ca253ae0 modules/programs: better document the `env` option 2024-02-14 11:08:43 +00:00
Colin 8b32f2f231 modules/programs: add support for 'autodetectCliPaths = parent' 2024-02-14 04:31:59 +00:00
Colin 080bd856ec programs: sandboxing: only permit wayland socket access to those specific apps which require it 2024-02-14 01:49:49 +00:00
Colin 34b148f6cc modules/programs: allow specifying perlPackages members as programs, as i do with python3Packages, etc 2024-02-13 12:31:04 +00:00
Colin 1a18ed533b programs: don't include dbus in the sandbox by default 2024-02-13 11:58:33 +00:00
Colin 6eaaeeb91a programs: remove audio from the sandbox by default 2024-02-13 11:14:38 +00:00
Colin bb68506839 modules/programs: add separate "user" v.s. "system" options for whitelistDbus 2024-02-13 10:55:10 +00:00
Colin 126f3e4922 programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default 2024-02-13 10:28:30 +00:00
Colin 73afceb8c6 modules/programs: sandbox: add `whitelistWayland` option 2024-02-13 10:24:35 +00:00
Colin 27fd81ad80 modules/programs: add new options for whitelisting audio/dbus 2024-02-12 15:23:35 +00:00
Colin 7b28023e08 modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr 2024-02-12 14:27:48 +00:00
Colin b0394d877d modules/programs: rename allowedRootPaths -> allowedPaths 
now that allowedHomePaths doesn't exist
 2024-02-12 13:00:10 +00:00
Colin a90b5b53db modules/programs: sandboxing: dereference symlinks and also include those in the sandbox 2024-02-12 12:48:02 +00:00
Colin eee3e138ff modules/programs: sandboxing: allow specifying individual /run/user/$uid paths to expose to the sandbox 2024-02-12 12:18:59 +00:00
Colin f61cd17e99 modules/programs: sandboxing: specialize profiles per-user by expanding $HOME 2024-02-12 12:08:58 +00:00
Colin 3e0b0a0f02 modules/programs: make-sandboxed: lift profile creation logic out to the toplevel 2024-02-12 11:52:33 +00:00
Colin 2ee34e9af3 modules/profiles: remove sandbox.embedProfile option 
with upcoming refactors, this setting would force a different package to be installed per user, which doesn't mesh with the existing sane.programs infra
 2024-02-12 11:35:59 +00:00
Colin 93012664e5 modules/programs: simplify how sandbox profiles make it into system packages 2024-02-12 10:52:44 +00:00
Colin 0861edd7f9 modules/programs: remove ~/.config/mimeo from sandbox defaults 2024-02-11 23:35:27 +00:00
Colin b6bf8720c9 modules/programs: implement --sane-sandbox-portal flag for apps which want to use the portal to open other apps 2024-02-11 23:32:24 +00:00
Colin c9af5bf9b4 programs: sandboxing: enable net isolation for most sandboxed programs 2024-02-08 21:51:32 +00:00
Colin bc85169e3d programs: sandboxer: allow disable net access 2024-02-08 21:07:34 +00:00
Colin 0c050d1953 programs: fuzzel: fix overly-aggressive sandboxing 2024-02-06 20:10:29 +00:00
Colin 4d51c34ad2 programs: allow `sane.strictSandboxing = "warn"` 2024-02-05 05:28:02 +00:00
Colin 3439ca34b8 sane-sandboxed: add more autodetect options, and a "withEmbeddedSandboxer" package output (for dev) 2024-02-03 00:17:24 +00:00