04eb5ed012
bunpen: more verbose logging when we exec
2024-09-03 01:45:28 +00:00
0279c030de
loupe: sandbox with bunpen
2024-09-03 00:33:16 +00:00
f0ea3f8bf6
fractal: sandbox with bunpen
2024-09-03 00:32:03 +00:00
f3b9369783
bunpen: implement BUNPEN_DISABLE=1 env var to bypass sandboxing
2024-09-03 00:27:14 +00:00
5ae12272bd
bunpen: restrict/namespace: fix so that nested mounts mount both paths
...
so e.g. '--bunpen-path /' at the end of the CLI will actually do something
2024-09-02 23:50:19 +00:00
6a1b4fdba1
bunpen: logging: make the exec log line easier to understand
2024-09-02 23:24:46 +00:00
0264ed68f4
bunpen: check syscall return codes more strictly
...
many syscalls say *specifically* in their documentation that they return 0 on success (implying no other value is success)
2024-09-02 22:39:52 +00:00
384472c1c4
nix: fix typo in NIXPATH introduced in a39d705ff5
2024-09-02 21:54:14 +00:00
1719943a6e
bunpen: log the args it was invoked with
2024-09-02 21:53:41 +00:00
0ee51d1812
bunpen: peek through *all* symlinks, not just intermediary ones
...
`mount` doesnt seem to mount over symlinks, hence why we have to follow even terminal symlinks
2024-09-02 21:47:51 +00:00
5e84056715
bunpen: make --bunpen-caps all behave as shorthand for literally specifying every capability
2024-09-02 20:39:18 +00:00
da72fc9d52
bunpen: fix typo that prevented assigning caps >= 32
2024-09-02 20:36:37 +00:00
36e2f57b06
bunpen: proper capability boxing
...
the Amb/Bound sets are written as specified, and I/P set so as to be activated when we exec the wrapped program
2024-09-02 20:21:09 +00:00
bc2823d622
bunpen: better (still incomplete) capability boxing
2024-09-02 18:55:53 +00:00
8b53f97c1c
bunpen: bind the different PR_CAP* prctl syscalls
...
see 'man prctl' for additional calls, some of which were omitted because i don't expect to need them
2024-09-02 17:02:02 +00:00
712b2c38f0
firefox: disable Ctrl+W shortcut
...
finally, i can stop accidentally killing tabs when i mean to backspace
2024-09-02 15:43:12 +00:00
3212664f37
firefox: migrate extraPolicies to overrides.cfg
...
this fixes that the bookmarks policy in extraPolicies was breaking my bookmarks import
2024-09-02 15:15:00 +00:00
98c62f66dd
firefox: add duckduckgo search bookmark
2024-09-02 14:11:13 +00:00
1677f77fd6
firefox: statically define a few bookmarks
2024-09-02 14:04:47 +00:00
c5e21546ff
firefox: refactor: split addons into separate file
2024-09-02 13:57:53 +00:00
5eb597b133
programs: firefox: move to subdir
...
then i'll split it into separate files fore easier management
2024-09-02 13:41:11 +00:00
90f7953615
firefox: remove dead code
2024-09-02 13:29:11 +00:00
ab15d2a991
programs: replace gnome-disk-utility with gparted
...
the latter *appears* to work better when sandboxed
2024-09-02 12:02:32 +00:00
eba9bb3099
feeds: subscribe to Charles Stross blog
2024-09-02 11:38:47 +00:00
3deb17125d
make-sandboxed: handl polkit files when patching bin paths
2024-09-02 11:31:24 +00:00
49a38001bc
update-feed: support sites which are accessible only by www.FOO and not toplevel FOO
2024-09-02 11:30:53 +00:00
a39d705ff5
nix: fix NIXPATH to be free of symlinks
2024-09-02 11:29:58 +00:00
4328a7ddf3
modules/programs: remove unused arguments
2024-09-02 10:26:42 +00:00
1b959272a1
moby: fetch the ANX7688 patch from lkml instead of armbian
...
didn't actually deploy this, but it builds
2024-09-02 10:07:37 +00:00
9d83f4cbf7
NetworkManager: reduce hardening options which broke IPv6 link-local addressing
...
'ip -6 addr' should show an address even on networks which aren't
routable. /proc or /sys sandboxing was preventing this (with error messages logged to syslog).
2024-09-01 23:13:30 +00:00
48fccebd1e
iptables: temporarily disable sandbox
...
it was overrestrictive
2024-09-01 21:24:19 +00:00
8f4d4c97bc
avahi: ensure that mDNS responses arent blocked by rpfilter
...
this PROBABLY isnt necessary, but keep it here as i debug stuff at least
2024-09-01 21:23:52 +00:00
0419e50cc3
upnp: fix rpfilter to support IPv6, too
2024-09-01 21:21:57 +00:00
80d3ad3d0e
moby: wifi low power patch: clarify that it just mitigates, doesnt solve, the reconnections
2024-09-01 21:21:30 +00:00
3d3853d596
moby: rtw88 wifi: disable deep sleep to prevent disconnections
2024-09-01 17:37:53 +00:00
cfa60ce41c
common/fs: remove dead nfs code
2024-09-01 15:50:28 +00:00
942ca82445
assorted: hosts/common: remove unused module parameters
2024-09-01 15:49:15 +00:00
336696bb06
scripts/deploy: show the nix copy command, to aid in manual runs
2024-09-01 15:41:33 +00:00
7d75b3c736
neovim: docs: suggest alternate mappings for nvim-cmp
2024-09-01 15:38:13 +00:00
3ca2c7ec53
sane-tag-media: fix escapes in docstring
2024-09-01 14:30:53 +00:00
9d605030c3
cross: wike: push build fix to upstream nixpkgs
2024-09-01 13:44:31 +00:00
e1d678093e
ayatana, switchboard: push cross patches upstream
2024-09-01 13:16:39 +00:00
5586a3a87b
moby: document status of linux 6.11
2024-09-01 11:35:20 +00:00
38c6ecefa6
programs: ship camera debugging tools
2024-09-01 11:31:10 +00:00
c80aa813d9
neovim: ship GitMessenger plugin for git-blame-like functionality
2024-09-01 01:12:27 +00:00
4f6ea0938c
neovim: Ctrl+Space to autocomplete
2024-09-01 01:00:37 +00:00
7ed78686c2
hal/pine64: remove more commented out patches which are irrelevant to pinephone
2024-08-31 22:42:04 +00:00
96b90b84d3
linux-firmware-megous: lint
2024-08-31 21:57:33 +00:00
c32be5d170
hal/pine64: remove some commented out patches which are *definitely* irrelevant to pinephone
...
probably there are way more; i just have to make sense of the weird name scheme and be sure which sensors are/aren't on the pinephone
2024-08-31 21:50:50 +00:00
7830603ff3
cleanup: impure.nix: remove extraneous parentheses
2024-08-31 21:20:18 +00:00
