45e121eb1c
make-sandboxed: preserve meta.mainProgram
2024-06-01 20:01:24 +00:00
36f4fa3018
checkSandboxed: fix so that cross-built scripts can be checked again
...
how did this work earlier? does lappy have binfmt enabled??
2024-06-01 13:24:41 +00:00
f875db916d
sandboxing: fix checkSandboxed
to handle packages with multiple outputs
2024-06-01 12:12:46 +00:00
f296d8df93
make-sandboxed: fix multi-output packages and sandbox *all* their outputs
...
this mostly applies to the wrapperType = 'inplace' users
2024-05-31 23:26:16 +00:00
00d06db66a
make-sandboxed: handle more systemd service files
2024-05-29 12:54:44 +00:00
be38d56717
make-sandboxed: handle more systemd/dbus service file locations
2024-05-28 13:36:01 +00:00
17eaa7446a
sanebox: remove all profile-related features except for direct, path-based profile loading
2024-05-15 09:13:20 +00:00
adfaa7f9c1
sane-sandboxed -> sanebox
2024-05-15 01:41:40 +00:00
2eea562d1f
sandbox: remove unused "binMap" option
2024-04-15 19:56:33 +00:00
56aca78d84
make-sandboxed: also sandbox the .lib
output of a package
2024-03-13 04:49:48 +00:00
a45e42910d
make-sandboxed: generalize runCommand patch to handle any derivation, called with or without callPackage
2024-03-02 07:11:45 +00:00
812c0c8029
packages: reduce the number of packages which are using inplace sandbox wrapping
2024-02-28 17:35:40 +00:00
a4248fd5cc
make-sandboxed: don't try to wrap directories
...
whoops. test -x is true for directories
2024-02-28 16:28:25 +00:00
6ef729bbaf
assorted: prefer runCommandLocal over runCommand where it makes sense
2024-02-27 22:26:56 +00:00
8f424dcd5a
programs: sandboxing: link /etc into sandboxed programs
...
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
2024-02-27 22:25:17 +00:00
4ced02b0b2
modules/programs: make-sandboxed: fix incorrect "priority" attribute
2024-02-17 03:32:49 +00:00
8c9c6ec979
modules/programs: make-sandboxed: support /libexec binaries
2024-02-16 03:15:45 +00:00
7b28023e08
modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr
2024-02-12 14:27:48 +00:00
3e0b0a0f02
modules/programs: make-sandboxed: lift profile creation logic out to the toplevel
2024-02-12 11:52:33 +00:00
7c05d221d6
modules/programs: split "make-sandbox-profile" out of "make-sandboxed"
2024-02-12 11:20:40 +00:00
bc85169e3d
programs: sandboxer: allow disable net access
2024-02-08 21:07:34 +00:00
2fc1fe7510
modules/programs: make-sandboxed: fix that /share/* was being linked into top-level /; better way to enforce sandboxing of /share entries
2024-02-06 19:55:55 +00:00
d7612d5034
modules/programs: make-sandboxed: avoid deep-copying all of /share when sandboxing
...
saves like 1 GiB of closure. but i haven't thoroughly tested this
2024-02-06 05:02:02 +00:00
413903d03c
make-sandboxed: also embed profiles for the withEmbeddedSandboxer passthru pkg
2024-02-05 08:26:40 +00:00
3439ca34b8
sane-sandboxed: add more autodetect options, and a "withEmbeddedSandboxer" package output (for dev)
2024-02-03 00:17:24 +00:00
5e3c2636db
programs: make-sandboxed: handle packages which use relative links in bin (like spotify)
2024-02-02 22:38:36 +00:00
881d2f79ed
modules/programs: add "unchecked" passthru to aid debugging
2024-01-29 13:36:01 +00:00
47abdfb831
modules/programs: patch dbus-1 files to use sandboxed binaries
2024-01-29 13:09:43 +00:00
3831c6f087
TODO: fold
2024-01-29 13:07:44 +00:00
4f8d476ebf
modules/programs: patch old /nix/store paths in .desktop files
2024-01-29 12:56:08 +00:00
7af970f38c
modules/programs: extend wrapperType="wrappedDerivation" to handle common share/ items
2024-01-29 11:59:38 +00:00
32824cfade
modules/programs: sandbox in a manner that's more compatible with link-heavy apps like busybox, git, etc
2024-01-29 09:56:30 +00:00
7b9795ea3d
modules/programs: implement embedWrapper
option
2024-01-29 09:13:49 +00:00
f100595257
modules/programs: properly forward autodetectCliPaths to the sandboxer
2024-01-28 10:31:07 +00:00
40fee97b06
modules/programs: make-sandboxed: disallowReferences to the fake sane-sandboxed used during checkPhase
2024-01-28 08:58:13 +00:00
3cc8292d8b
modules/programs: make-sandboxed: support packages with checkPhase by bypassing the sandbox
2024-01-28 07:45:08 +00:00
9261d30a34
modules/programs: reformatting
2024-01-28 05:58:08 +00:00
3eb3a8db5a
modules/programs: add a whitelistPwd
option to grant the program access to the directory it was called from
2024-01-28 05:57:30 +00:00
4d7414c941
programs: introduce and use "autodetectCliPaths" nix config
2024-01-27 17:19:48 +00:00
5ca208d07f
modules/programs: sandbox: add enable flag and capabilities structured config
2024-01-27 17:08:27 +00:00
26b978dcf2
modules/programs: sandbox: fix "inline" -> "inplace" typo
2024-01-27 14:42:25 +00:00
d8b6d419b6
modules/programs: sandboxing: add wrapperType = "wrappedDerivation"
to wrap without rebuilding the whole package
2024-01-27 14:26:41 +00:00
a6b824d3c4
modules/programs/sandbox: add an "embedProfile" option to source sandbox settings from the package instead of the system
2024-01-27 12:23:25 +00:00
f148334b58
programs: port extraFirejailConfig to extraConfig
2024-01-23 14:57:33 +00:00
27b56b1a12
programs: sane-sandbox: implement a cleaner debugshell and test API
2024-01-23 11:19:52 +00:00
6e9220d2bb
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing
2024-01-23 10:44:13 +00:00
0ddcfcaa23
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds
2024-01-23 08:01:23 +00:00
a4cb6645b4
programs: indirect firejail access through sane-sandboxed
2024-01-23 04:02:31 +00:00
f49d2a1e0e
programs: split "makeSandboxed" into its own file
2024-01-23 01:23:14 +00:00