4328a7ddf3
modules/programs: remove unused arguments
2024-09-02 10:26:42 +00:00
3417a9fd3f
sanebox: remove the portal logic, and delegate it to manual handling by those few apps which truly need special casing
...
it's a questionable responsibility to give to the sandbox itself (unless i also have the sandbox do things like dbus proxying, someday). and it will make the bunpen implementation simpler
2024-08-27 11:00:15 +00:00
422e8aeb3f
sanebox: support existingDir{,OrParent} autodetect option
2024-08-26 14:06:49 +00:00
c86d893a2c
modules/programs: sandbox: allow method = "bunpen"
2024-08-23 16:00:31 +00:00
effec38a99
modules/programs: sandbox: introduce an interface which will allow for sandboxers other than sanebox
2024-08-23 16:00:31 +00:00
e7d5a61014
libcap: split into separate capsh and captree programs, and sandbox the latter
2024-08-12 10:13:50 +00:00
f8aea34e96
sanebox: bwrap: make user namespace unsharing more obvious
2024-08-07 21:23:21 +00:00
c706a19836
landlock-sandboxer: rename the binary, so that it can be included on PATH without collisions
2024-08-05 22:59:14 +00:00
8ef5920d84
unl0kr: port to an s6 service
...
this has some drawbacks in its current form and will be tidied
it writes the password also to the consold. it requires 'sudo'.
2024-07-25 18:45:01 +00:00
34e770c5f5
sanebox: fix missing dependency on iptables/iproute2
2024-07-24 03:32:12 +00:00
db292850b0
modules/programs: fix sandbox.net = "vpn" option
2024-07-19 12:44:09 +00:00
6824080f6b
avahi: fix broken sandboxing
2024-07-06 03:08:36 +00:00
a12aa02655
sane.programs: provide sandbox.net = "vpn.wg-home" to tunnel through my home ISP
2024-07-05 20:18:34 +00:00
f54f1c57bc
avahi: integrate with nss
...
now i can resolve .local hosts, via glibc, e.g. 'getent hosts <host>.local'
2024-06-27 06:18:48 +00:00
46e9d5f758
programs: fix s6 deps when dbus isnt enabled
2024-06-12 07:11:41 +00:00
3aa2ece59b
modules/programs: convert lib.optionalAttrs to mkIf
...
this allows stuff to be lazier
2024-06-07 07:26:07 +00:00
f875db916d
sandboxing: fix checkSandboxed to handle packages with multiple outputs
2024-06-01 12:12:46 +00:00
4aeb3360d3
cleanup: programs: dont assume sway is always the wayland/x11 provider
2024-05-30 06:00:32 +00:00
0c456d11d8
programs: ensure things which depend on sound or wayland are ordered after it
2024-05-30 04:55:05 +00:00
3b73773169
programs: ensure things which depend on dbus are ordered after it
2024-05-30 03:48:45 +00:00
9ba8ff738b
refactor: sane.programs.$foo.service: specify type concretely
2024-05-30 03:39:32 +00:00
c5c174f988
sway: patch to use a narrower sandbox
2024-05-29 18:24:59 +00:00
d865be952a
refactor: sandboxing: replace manual --sanebox-keep-namespace pid config with isolatePids = false
2024-05-29 12:56:46 +00:00
af72f312d3
sandbox: remove /run/wrappers: SUID wrappers dont really accomplish much inside a namespace
2024-05-26 01:18:30 +00:00
73f5c9608e
sanebox: tighter dependency handling, to not rely on @BACKEND_FALLBACK@
2024-05-25 10:26:36 +00:00
b035d312aa
firejail: purge
2024-05-25 10:21:31 +00:00
7b1bc210fd
sanebox: integrate with pasta (passt) for better net sandboxing
2024-05-25 09:39:18 +00:00
118ed5f950
sanebox: populate --sanebox-net-dev with the actual net device -- not the bridge
2024-05-25 08:17:38 +00:00
cbbddee152
modules/programs: add ~/.config/FOO and ~/.local/share/FOO to the sandbox where applicable
2024-05-18 06:32:07 +00:00
1211023c55
modules/programs: remove dead code from per-user profiles
2024-05-15 23:58:10 +00:00
b4229ecb1e
sanebox: load the link cache from a static /etc path instead of via CLI args
2024-05-15 23:55:15 +00:00
348837ff4a
programs: sandboxing: replace profiles with raw CLI args
2024-05-15 09:13:20 +00:00
17eaa7446a
sanebox: remove all profile-related features except for direct, path-based profile loading
2024-05-15 09:13:20 +00:00
530664294a
programs: sandbox: always specify --sanebox-profile-dir instead of loading from XDG_DATA_DIRS
2024-05-15 08:54:16 +00:00
b649071d98
programs: sandboxing: make the profiles be generic across users
...
this is a step toward making the profile not even be dynamically loaded, since its content is no longer dynamic :)
2024-05-15 08:48:09 +00:00
ea2653b7ce
programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first
2024-05-15 08:20:09 +00:00
4c1b1282d6
modules/programs: sandbox: be compatible with systemd resolved again
2024-05-15 02:57:40 +00:00
adfaa7f9c1
sane-sandboxed -> sanebox
2024-05-15 01:41:40 +00:00
bee3eea040
modules/programs: sandbox: remove no-longer-needed /run/systemd/resolve from sandbox
2024-05-14 04:18:29 +00:00
f3106ee316
programs: maxBuildCost: fix to actually build everything by default
2024-05-13 22:57:40 +00:00
43d32641f3
programs: buildCost: introduce a new level between min and light
2024-05-13 22:45:33 +00:00
46d95805e9
programs: simplify sandbox symlink closure code
2024-05-13 07:49:00 +00:00
bd3e06982b
sane-sandboxed: tweak symlink caching to allow /run/current-system to be bind-mounted instead of symlinked
2024-05-13 02:11:47 +00:00
660ba94c7c
sane-sandboxed: introduce a symlink cache to reduce readlink calls even more
...
it's all a bit silly. i still do a bunch of -L tests: i just avoid the costly readlink fork :|
2024-05-13 01:31:30 +00:00
2eea562d1f
sandbox: remove unused "binMap" option
2024-04-15 19:56:33 +00:00
0385c09f23
sane-sandboxed: split out into an actual package
2024-04-15 18:57:22 +00:00
4b22fd95bf
introduce 'moby-min' host variant for the quickest deployment (no webkitgtk)
2024-04-13 20:29:24 +00:00
03fbb780b2
sane.programs: sandbox: refactor extraRuntimePaths computation
2024-03-24 12:03:38 +00:00
9c0b175260
swaync: allow toggling of s6 services
2024-03-24 11:54:12 +00:00
6102a0301d
sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox
2024-03-23 16:37:22 +00:00
