6d0a2d63fc
users: make the service manager partly configurable
2024-09-25 15:39:57 +00:00
31615340a7
programs/assorted: remove explicit (and extraneous) sandbox.method = "bunpen" declarations
2024-09-21 23:35:06 +00:00
ea3eaf048e
programs: sandbox with bunpen *by default*; manually opt out or opt to a different sandboxer where required
2024-09-21 23:00:49 +00:00
208b634040
programs/sandboxing: add required args to use pasta
2024-09-21 12:21:11 +00:00
8979ff0eec
bunpen: plumb pasta related arguments into make-sandboxed
...
for testing only: these options don't yet have the intended effect
2024-09-19 23:54:43 +00:00
034c3f987e
programs/make-sandboxed: fix for apps which ship thumbnailers (i.e. gnome papers)
2024-09-17 02:33:51 +00:00
e9decbbf40
sandboxing: add a global toggle to disable sandboxing
2024-09-16 00:38:02 +00:00
b5f9ba62d0
camera: fix sandboxing for pipewire (so snapshot can open the camera), and share that with megapixels (which opens it directly)
...
N.B. snapshot (pipewire) doesn't work with the current kernel deployment; it requires linux-postmarketos-allwinner and even then only the front camera works (at about 1 fps)
this wasn't always the case: i believe that once, the rear camera worked as well. although now i think about it, i'm not positive of that
2024-09-15 11:14:23 +00:00
6e0c83b4f3
modules/programs: don't install bunpen/sanebox unless some program actually requires it
2024-09-14 23:10:19 +00:00
b43ee23459
firefox: allow webcam access
2024-09-13 00:02:48 +00:00
e7f54cda6b
feeds: subscribe to Marijn Braam's blog
2024-09-10 19:54:46 +00:00
ae5bad1514
feeds: subscribe to mii beta / Baby Wogue
2024-09-10 18:16:45 +00:00
1599df26e7
/mnt/persist/private: remove unneeded "sandbox.keepPids"
2024-09-10 01:09:21 +00:00
0b39f18faa
/mnt/persist/ephemeral: dont even try to delete the backing directory -- just everything contained in it
2024-09-10 00:45:07 +00:00
8ae7e255e5
gocryptfs: sandbox with bunpen
2024-09-10 00:02:03 +00:00
95994de1ad
provision-private-key (/run/gocryptfs/private.key): sandbox with bunpen
2024-09-09 03:56:55 +00:00
3ef98a5ab3
modules/programs: support "sandbox.keepIpc = true"
2024-09-07 22:10:11 +00:00
8255e419be
modules/programs: rename "keepUsers" -> "tryKeepUsers"
2024-09-06 06:32:49 +00:00
6e30527688
modules/programs: simplfiy the common combination of keeping pids AND /proc by introducing "keepPidsAndProc"
2024-09-06 04:18:46 +00:00
9340f52df1
modules/programs: rename isolatePids -> keepPids, isolateUsers -> keepUsers
...
this follows my explicit whitelisting elsewhere
2024-09-06 04:06:42 +00:00
850c975321
modules/programs: when sandboxing, use makeBinaryWrapper if supported
2024-09-06 01:17:21 +00:00
8d87a15e60
modules/image: be verbose when we flash the bootloader
2024-09-04 13:50:22 +00:00
9a7fca267e
modules/image: bump /boot space from 1 GiB to 2 GiB
2024-09-04 13:49:40 +00:00
3e182b2a06
modules/persist: lint
2024-09-04 13:13:14 +00:00
6ff35b4366
dbus: place the bus in a subdirectory for better sandboxing
2024-09-04 13:04:20 +00:00
35a41be824
modules/*: lint (esp: modules/vpn.nix -- removed unused priorityWgTable)
2024-09-03 20:24:36 +00:00
50d443ad46
make-sandboxed: fix quoting error
2024-09-03 14:10:06 +00:00
ce7a082447
modules/programs: plum sandbox.keepPids and whitelistPwd into bunpen
2024-09-03 02:25:28 +00:00
41d9eccfe8
bunpen: preserve argv0 in the wrapper
2024-09-03 01:45:48 +00:00
eba9bb3099
feeds: subscribe to Charles Stross blog
2024-09-02 11:38:47 +00:00
3deb17125d
make-sandboxed: handl polkit files when patching bin paths
2024-09-02 11:31:24 +00:00
4328a7ddf3
modules/programs: remove unused arguments
2024-09-02 10:26:42 +00:00
737df8c10e
modules/programs: plumb capabilities into bunpen sandboxer
2024-08-30 20:36:11 +00:00
f26f13ddf3
bunpen: bind "safe"-ish /de items
2024-08-29 20:13:37 +00:00
14929c1102
programs: plum --bunpen-autodetect into modules/programs API
2024-08-28 11:37:18 +00:00
b9fc61e627
modules/programs: plumb bunpen's home/run path binds
2024-08-27 20:36:31 +00:00
3417a9fd3f
sanebox: remove the portal logic, and delegate it to manual handling by those few apps which truly need special casing
...
it's a questionable responsibility to give to the sandbox itself (unless i also have the sandbox do things like dbus proxying, someday). and it will make the bunpen implementation simpler
2024-08-27 11:00:15 +00:00
422e8aeb3f
sanebox: support existingDir{,OrParent} autodetect option
2024-08-26 14:06:49 +00:00
c86d893a2c
modules/programs: sandbox: allow method = "bunpen"
2024-08-23 16:00:31 +00:00
effec38a99
modules/programs: sandbox: introduce an interface which will allow for sandboxers other than sanebox
2024-08-23 16:00:31 +00:00
c5ed1263dc
feeds: subscribe to justine.lol
2024-08-23 16:00:31 +00:00
45ff21822a
feeds: sub JRE (we'll see how long this lasts...)
2024-08-23 06:09:33 +00:00
a9cc0f28e2
feeds: subscribe to linuxdevtime podcast
2024-08-22 07:19:37 +00:00
b4b95be588
make-sandboxed: fix to preserve the specified output, for packages like dig
2024-08-21 04:00:45 +00:00
ae0d6cb8e8
make-sandboxed: preserve outputs of multiple-output packages
...
especially, this fixes the dconf service, since we keep '/libexec'
2024-08-21 03:28:02 +00:00
4055c6d3e9
podcasts: subscribe to C-Span's _The Weekly_
2024-08-20 02:23:41 +00:00
1b4266f8a7
hickory-dns: fix compilation error with newer rustc
2024-08-19 13:29:09 +00:00
ca793af819
make-sandboxed: fix double-wrapping when two symlinks point to the same binary by non-canonical paths (e.g. mount.sshfs -> ../bin/sshfs)
2024-08-16 10:50:20 +00:00
e846a5046a
feeds: subscribe to 404 media
2024-08-16 02:41:17 +00:00
a552ed625b
make-sandboxed: fix several edge-cases for e.g. brave, firefox, especially around handling of wrapped binaries
2024-08-16 02:15:46 +00:00
