Commit Graph

217 Commits

Author SHA1 Message Date
3deb17125d make-sandboxed: handl polkit files when patching bin paths 2024-09-02 11:31:24 +00:00
4328a7ddf3 modules/programs: remove unused arguments 2024-09-02 10:26:42 +00:00
737df8c10e modules/programs: plumb capabilities into bunpen sandboxer 2024-08-30 20:36:11 +00:00
f26f13ddf3 bunpen: bind "safe"-ish /de items 2024-08-29 20:13:37 +00:00
14929c1102 programs: plum --bunpen-autodetect into modules/programs API 2024-08-28 11:37:18 +00:00
b9fc61e627 modules/programs: plumb bunpen's home/run path binds 2024-08-27 20:36:31 +00:00
3417a9fd3f sanebox: remove the portal logic, and delegate it to manual handling by those few apps which truly need special casing
it's a questionable responsibility to give to the sandbox itself (unless i also have the sandbox do things like dbus proxying, someday). and it will make the bunpen implementation simpler
2024-08-27 11:00:15 +00:00
422e8aeb3f sanebox: support existingDir{,OrParent} autodetect option 2024-08-26 14:06:49 +00:00
c86d893a2c modules/programs: sandbox: allow method = "bunpen" 2024-08-23 16:00:31 +00:00
effec38a99 modules/programs: sandbox: introduce an interface which will allow for sandboxers other than sanebox 2024-08-23 16:00:31 +00:00
b4b95be588 make-sandboxed: fix to preserve the specified output, for packages like dig 2024-08-21 04:00:45 +00:00
ae0d6cb8e8 make-sandboxed: preserve outputs of multiple-output packages
especially, this fixes the dconf service, since we keep '/libexec'
2024-08-21 03:28:02 +00:00
ca793af819 make-sandboxed: fix double-wrapping when two symlinks point to the same binary by non-canonical paths (e.g. mount.sshfs -> ../bin/sshfs) 2024-08-16 10:50:20 +00:00
a552ed625b make-sandboxed: fix several edge-cases for e.g. brave, firefox, especially around handling of wrapped binaries 2024-08-16 02:15:46 +00:00
fd6959230f make-sandboxed: handle /opt-style packaging, with toplevels linked into /bin, a bit better 2024-08-15 10:32:18 +00:00
87e9856497 sanebox: forward argv0 2024-08-15 10:31:21 +00:00
e7d5a61014 libcap: split into separate capsh and captree programs, and sandbox the latter 2024-08-12 10:13:50 +00:00
f8aea34e96 sanebox: bwrap: make user namespace unsharing more obvious 2024-08-07 21:23:21 +00:00
c706a19836 landlock-sandboxer: rename the binary, so that it can be included on PATH without collisions 2024-08-05 22:59:14 +00:00
8ef5920d84 unl0kr: port to an s6 service
this has some drawbacks in its current form and will be tidied

it writes the password also to the consold. it requires 'sudo'.
2024-07-25 18:45:01 +00:00
34e770c5f5 sanebox: fix missing dependency on iptables/iproute2 2024-07-24 03:32:12 +00:00
db292850b0 modules/programs: fix sandbox.net = "vpn" option 2024-07-19 12:44:09 +00:00
132798be23 sanebox: ensure sanebox is always on the PATH of sandboxed binaries 2024-07-16 07:24:42 +00:00
6824080f6b avahi: fix broken sandboxing 2024-07-06 03:08:36 +00:00
5048bd8d70 sanebox: fix that pasta-sandboxed programs would fail compile-time sandboxing test 2024-07-05 20:41:28 +00:00
a12aa02655 sane.programs: provide sandbox.net = "vpn.wg-home" to tunnel through my home ISP 2024-07-05 20:18:34 +00:00
e82feb9f71 make-sandboxed: migrate to binary wrapper 2024-07-03 19:35:56 +00:00
4839a40205 make-sandboxed: use makeWrapper proper, rather than rolling my own
i can't use the _binary_ wrapper unless i use a fully-qualified path to 'sanebox' or hide it behind something like /usr/bin/env
2024-07-03 17:54:38 +00:00
f54f1c57bc avahi: integrate with nss
now i can resolve .local hosts, via glibc, e.g. 'getent hosts <host>.local'
2024-06-27 06:18:48 +00:00
46e9d5f758 programs: fix s6 deps when dbus isnt enabled 2024-06-12 07:11:41 +00:00
3aa2ece59b modules/programs: convert lib.optionalAttrs to mkIf
this allows stuff to be lazier
2024-06-07 07:26:07 +00:00
45e121eb1c make-sandboxed: preserve meta.mainProgram 2024-06-01 20:01:24 +00:00
36f4fa3018 checkSandboxed: fix so that cross-built scripts can be checked again
how did this work earlier? does lappy have binfmt enabled??
2024-06-01 13:24:41 +00:00
f875db916d sandboxing: fix checkSandboxed to handle packages with multiple outputs 2024-06-01 12:12:46 +00:00
f296d8df93 make-sandboxed: fix multi-output packages and sandbox *all* their outputs
this mostly applies to the wrapperType = 'inplace' users
2024-05-31 23:26:16 +00:00
4aeb3360d3 cleanup: programs: dont assume sway is always the wayland/x11 provider 2024-05-30 06:00:32 +00:00
0c456d11d8 programs: ensure things which depend on sound or wayland are ordered after it 2024-05-30 04:55:05 +00:00
3b73773169 programs: ensure things which depend on dbus are ordered after it 2024-05-30 03:48:45 +00:00
9ba8ff738b refactor: sane.programs.$foo.service: specify type concretely 2024-05-30 03:39:32 +00:00
c5c174f988 sway: patch to use a narrower sandbox 2024-05-29 18:24:59 +00:00
d865be952a refactor: sandboxing: replace manual --sanebox-keep-namespace pid config with isolatePids = false 2024-05-29 12:56:46 +00:00
00d06db66a make-sandboxed: handle more systemd service files 2024-05-29 12:54:44 +00:00
be38d56717 make-sandboxed: handle more systemd/dbus service file locations 2024-05-28 13:36:01 +00:00
af72f312d3 sandbox: remove /run/wrappers: SUID wrappers dont really accomplish much inside a namespace 2024-05-26 01:18:30 +00:00
73f5c9608e sanebox: tighter dependency handling, to not rely on @BACKEND_FALLBACK@ 2024-05-25 10:26:36 +00:00
b035d312aa firejail: purge 2024-05-25 10:21:31 +00:00
7b1bc210fd sanebox: integrate with pasta (passt) for better net sandboxing 2024-05-25 09:39:18 +00:00
118ed5f950 sanebox: populate --sanebox-net-dev with the actual net device -- not the bridge 2024-05-25 08:17:38 +00:00
ffe599e5cb sanebox: rename --sanebox-net to --sanebox-net-dev 2024-05-25 08:13:35 +00:00
cbbddee152 modules/programs: add ~/.config/FOO and ~/.local/share/FOO to the sandbox where applicable 2024-05-18 06:32:07 +00:00