bb569b1668
sane-vpn: port away from systemd so that i can use it as an ordinary user (no sudo)
2024-02-20 22:21:02 +00:00
34524ea3e4
modules/vpn: fix the vpn-* systemd services
2024-02-20 20:40:46 +00:00
d7be5da483
warnings.nix: port to a proper module
2024-02-20 11:19:12 +00:00
34dedcff57
modules/programs: sane-sandboxed: fix normPath handling of paths containing special characters like [
2024-02-19 15:32:23 +00:00
95cb5624ca
modules/programs: sane-sandboxed: fix but that --sane-sandbox-path / wasnt being canonicalized
2024-02-18 13:53:53 +00:00
600f6eb56c
modules/programs: sane-sandboxed: remove all remaining forks/subshells
...
launchtime for firefox in bwrap is about 65ms; 35ms for --sane-sandbox-method none
2024-02-18 13:15:04 +00:00
fd6f8493a7
modules/programs: sane-sandboxed: remove all forking from normPath
...
reduces time for librewolf benchmark from 90ms -> 65ms. there's still _some_ forking in this script, but it's constant now.
2024-02-18 12:25:03 +00:00
f10f1ee7b1
modules/programs: sane-sandboxed: optimize "normPath" to not invoke subshells
...
each subshell causes like 5ms just on my laptop, which really adds up.
this implementation still forks internally, but doesn't exec.
runtime decreases from 150ms -> 90ms for
`time librewolf --sane-sandbox-replace-cli true`
2024-02-18 12:08:23 +00:00
cef2591425
modules/programs: sane-sandboxed: capshonly/landlock: don't request capabilities we know won't be granted
2024-02-17 16:30:18 +00:00
4ced02b0b2
modules/programs: make-sandboxed: fix incorrect "priority" attribute
2024-02-17 03:32:49 +00:00
029ba43bd6
modules/programs: sane-sandboxed: invoke "capsh" with the --no-new-privs argument
2024-02-16 05:48:50 +00:00
8c9c6ec979
modules/programs: make-sandboxed: support /libexec binaries
2024-02-16 03:15:45 +00:00
1edb1fc8b6
modules/programs: sane-sandboxed: avoid adding the sandbox implementation to $PATH
2024-02-15 17:58:22 +00:00
8d20dcadd1
modules/programs: sane-sandboxed: add --sane-sandbox-keep-pidspace flag
2024-02-15 15:05:28 +00:00
c943442c94
modules/programs: sane-sandboxed: add --sane-sandbox-method none for benchmarking
2024-02-15 13:13:39 +00:00
02dd629616
modules/programs: sane-sandboxed: rework so portal env vars arent set when sandbox is disabled
...
and by setting them only at launch time we aid introspectability/debugging
2024-02-15 11:57:36 +00:00
5f1036118f
modules/programs: sandboxing: add a "whitelistX" option
2024-02-15 00:09:16 +00:00
22ca253ae0
modules/programs: better document the env
option
2024-02-14 11:08:43 +00:00
8b32f2f231
modules/programs: add support for 'autodetectCliPaths = parent'
2024-02-14 04:31:59 +00:00
080bd856ec
programs: sandboxing: only permit wayland socket access to those specific apps which require it
2024-02-14 01:49:49 +00:00
548a95a7e1
modules/programs: sandboxing: unshare ipc/cgroup/uts by default
2024-02-14 01:48:59 +00:00
34b148f6cc
modules/programs: allow specifying perlPackages members as programs, as i do with python3Packages, etc
2024-02-13 12:31:04 +00:00
1a18ed533b
programs: don't include dbus in the sandbox by default
2024-02-13 11:58:33 +00:00
6eaaeeb91a
programs: remove audio from the sandbox by default
2024-02-13 11:14:38 +00:00
bb68506839
modules/programs: add separate "user" v.s. "system" options for whitelistDbus
2024-02-13 10:55:10 +00:00
126f3e4922
programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default
2024-02-13 10:28:30 +00:00
73afceb8c6
modules/programs: sandbox: add whitelistWayland
option
2024-02-13 10:24:35 +00:00
27fd81ad80
modules/programs: add new options for whitelisting audio/dbus
2024-02-12 15:23:35 +00:00
d82b4b0f62
modules/programs: sane-sandboxed: reorder the --sane-sandbox-profile-dir arg so it takes precedence
2024-02-12 14:56:48 +00:00
7b28023e08
modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr
2024-02-12 14:27:48 +00:00
2b9db897a1
implement sane.defaultUser
attr
2024-02-12 14:27:32 +00:00
6124cb9b36
modules/programs: sane-sandboxed: search for profiles in XDG_DATA_DIRS, not NIX_PROFILES
2024-02-12 13:16:48 +00:00
b0394d877d
modules/programs: rename allowedRootPaths -> allowedPaths
...
now that allowedHomePaths doesn't exist
2024-02-12 13:00:10 +00:00
14d8230821
modules/programs: sane-sandboxed: remove --sane-sandbox-home-path argument and plumbing
...
no longer needed, and mixing this with root paths is liable to cause troubles at this point, around symlink dereferencing/canonicalization/etc
2024-02-12 12:57:54 +00:00
a90b5b53db
modules/programs: sandboxing: dereference symlinks and also include those in the sandbox
2024-02-12 12:48:02 +00:00
eee3e138ff
modules/programs: sandboxing: allow specifying individual /run/user/$uid paths to expose to the sandbox
2024-02-12 12:18:59 +00:00
f61cd17e99
modules/programs: sandboxing: specialize profiles per-user by expanding $HOME
2024-02-12 12:08:58 +00:00
3e0b0a0f02
modules/programs: make-sandboxed: lift profile creation logic out to the toplevel
2024-02-12 11:52:33 +00:00
2ee34e9af3
modules/profiles: remove sandbox.embedProfile option
...
with upcoming refactors, this setting would force a different package to be installed per user, which doesn't mesh with the existing sane.programs infra
2024-02-12 11:35:59 +00:00
7c05d221d6
modules/programs: split "make-sandbox-profile" out of "make-sandboxed"
2024-02-12 11:20:40 +00:00
93012664e5
modules/programs: simplify how sandbox profiles make it into system packages
2024-02-12 10:52:44 +00:00
c424f7ac3b
sane-sandboxed: load all profiles, not just the first one we find
...
this allows some amount of overriding, or splitting profiles between system and user dirs
2024-02-12 10:40:15 +00:00
088b6f1b9a
sane-sandboxed: load profiles via $NIX_PROFILES env var
2024-02-12 10:37:26 +00:00
96575acf3a
programs: sane-sandboxed: move parseArgsExtra to outer scope; improve docs
2024-02-12 10:28:14 +00:00
e81df0ac86
modules/programs: enforce that user services don't accidentally override PATH
2024-02-12 08:44:55 +00:00
87050a0500
feeds: add "FullTimeNix" podcast :)
2024-02-12 00:09:49 +00:00
0861edd7f9
modules/programs: remove ~/.config/mimeo from sandbox defaults
2024-02-11 23:35:27 +00:00
b6bf8720c9
modules/programs: implement --sane-sandbox-portal flag for apps which want to use the portal to open other apps
2024-02-11 23:32:24 +00:00
0d3adcdc5c
modules: users: have user services inherit PATH from environment rather than forcibly overwriting it
2024-02-09 09:50:26 +00:00
9ac0e0e4fc
modules/programs: put things in a pid namespace by default
2024-02-08 23:36:59 +00:00
c9af5bf9b4
programs: sandboxing: enable net isolation for most sandboxed programs
2024-02-08 21:51:32 +00:00
bc85169e3d
programs: sandboxer: allow disable net access
2024-02-08 21:07:34 +00:00
0c050d1953
programs: fuzzel: fix overly-aggressive sandboxing
2024-02-06 20:10:29 +00:00
2fc1fe7510
modules/programs: make-sandboxed: fix that /share/* was being linked into top-level /; better way to enforce sandboxing of /share entries
2024-02-06 19:55:55 +00:00
5f8699fcef
rearrange /mnt structure for host-based subdirs
...
e.g. /mnt/servo/media, /mnt/desko/home, etc
2024-02-06 05:48:11 +00:00
d7612d5034
modules/programs: make-sandboxed: avoid deep-copying all of /share when sandboxing
...
saves like 1 GiB of closure. but i haven't thoroughly tested this
2024-02-06 05:02:02 +00:00
ed3935318d
feeds: subscribe to non-paywalled Matt Levine
2024-02-05 16:41:38 +00:00
413903d03c
make-sandboxed: also embed profiles for the withEmbeddedSandboxer passthru pkg
2024-02-05 08:26:40 +00:00
4d51c34ad2
programs: allow sane.strictSandboxing = "warn"
2024-02-05 05:28:02 +00:00
3439ca34b8
sane-sandboxed: add more autodetect options, and a "withEmbeddedSandboxer" package output (for dev)
2024-02-03 00:17:24 +00:00
0ee9f2026c
sane-sandboxed: hopefully fix a problem with path normalization for paths with spaces
2024-02-02 22:56:43 +00:00
5e3c2636db
programs: make-sandboxed: handle packages which use relative links in bin (like spotify)
2024-02-02 22:38:36 +00:00
2bb9115f35
modules/programs: sandboxing: add "whitelistDri" option for gfx-intensive apps
2024-02-02 17:18:51 +00:00
065d045640
fix so sway inherits program env vars
2024-02-02 15:36:06 +00:00
567c7993b6
modules/programs: sandbox: allow mimeo config in any sandbox
2024-02-02 12:52:36 +00:00
00f995aec9
fixup landlock-sandboxer to work well for all systems
...
downgrade lappy/desko/servo back to default linux; zfs doesn't support latest
build landlock-sandboxer against the specific kernel being deployed; it's less noisy that way
2024-01-31 21:19:10 +00:00
881d2f79ed
modules/programs: add "unchecked" passthru to aid debugging
2024-01-29 13:36:01 +00:00
47abdfb831
modules/programs: patch dbus-1 files to use sandboxed binaries
2024-01-29 13:09:43 +00:00
3831c6f087
TODO: fold
2024-01-29 13:07:44 +00:00
4f8d476ebf
modules/programs: patch old /nix/store paths in .desktop files
2024-01-29 12:56:08 +00:00
7af970f38c
modules/programs: extend wrapperType="wrappedDerivation" to handle common share/ items
2024-01-29 11:59:38 +00:00
32824cfade
modules/programs: sandbox in a manner that's more compatible with link-heavy apps like busybox, git, etc
2024-01-29 09:56:30 +00:00
51fc61b211
sane-sandboxed: cleanup
2024-01-29 09:14:43 +00:00
7b9795ea3d
modules/programs: implement embedWrapper
option
2024-01-29 09:13:49 +00:00
5f3e481fe4
sane-sandboxed: refactor and avoid passing duplicate/subpaths into the sandbox
2024-01-29 07:15:02 +00:00
86219d7006
sane-sandboxed: simplify: consolidate homePaths and rootPaths into just "paths"
2024-01-29 05:43:10 +00:00
24c70c3683
feeds: switch acoup.blog to the database type feed
...
at some point my feed script became capable of understanding his RSS :)
2024-01-28 12:37:38 +00:00
294f167df0
sane-sandboxed: fix CLI escaping with capsh
2024-01-28 11:11:07 +00:00
f100595257
modules/programs: properly forward autodetectCliPaths to the sandboxer
2024-01-28 10:31:07 +00:00
e84da827c2
sane-sandboxed: fix typo in add-pwd flag
2024-01-28 09:17:12 +00:00
42f9fa029d
modules/programs: fix that whitelistPwd wasnt passed into the sandbox profile
2024-01-28 09:04:27 +00:00
40fee97b06
modules/programs: make-sandboxed: disallowReferences to the fake sane-sandboxed used during checkPhase
2024-01-28 08:58:13 +00:00
3cc8292d8b
modules/programs: make-sandboxed: support packages with checkPhase by bypassing the sandbox
2024-01-28 07:45:08 +00:00
9261d30a34
modules/programs: reformatting
2024-01-28 05:58:08 +00:00
3eb3a8db5a
modules/programs: add a whitelistPwd
option to grant the program access to the directory it was called from
2024-01-28 05:57:30 +00:00
97129268f0
modules/programs: sandbox: add "capshonly" as a valid sandbox.method
2024-01-28 05:57:11 +00:00
4d7414c941
programs: introduce and use "autodetectCliPaths" nix config
2024-01-27 17:19:48 +00:00
a7d081bfcb
modules/programs: add a sane.strictSandboxing option
2024-01-27 17:11:07 +00:00
5ca208d07f
modules/programs: sandbox: add enable flag and capabilities structured config
2024-01-27 17:08:27 +00:00
26b978dcf2
modules/programs: sandbox: fix "inline" -> "inplace" typo
2024-01-27 14:42:25 +00:00
d8b6d419b6
modules/programs: sandboxing: add wrapperType = "wrappedDerivation"
to wrap without rebuilding the whole package
2024-01-27 14:26:41 +00:00
a06c81643c
sane-sandboxed: don't error if ~ files aren't available to be bound
2024-01-27 12:48:58 +00:00
15fd7bf4a5
sane-sandboxed: implement a "capshonly" backend
2024-01-27 12:39:36 +00:00
a6b824d3c4
modules/programs/sandbox: add an "embedProfile" option to source sandbox settings from the package instead of the system
2024-01-27 12:23:25 +00:00
3b4884fcf1
sane-sandbox: fix secret binding
2024-01-27 11:26:10 +00:00
4319dc58eb
programs: landlock: restrict the capabilities of sandboxed processes
2024-01-27 09:49:51 +00:00
3122434908
programs: add an option to configure extra home paths to make accessible in the sandbox
2024-01-27 09:11:32 +00:00
d54f8b1e93
programs: fix so environment variables make it onto user sessions
2024-01-27 09:02:55 +00:00
b417f60769
sane-sandboxed: try binding /proc/self in landlock. still doesnt work well
2024-01-27 05:59:40 +00:00
df2d5b6d01
sane-sandboxed: fixup /dev/std* for wireshark
2024-01-27 05:12:43 +00:00
a66b257644
sane-sandboxed: better support for landlock and SANE_SANDBOX_PREPEND/APPEND
2024-01-27 04:43:42 +00:00
ef66d2ec72
sane-sandboxed: add support for landlock backend
2024-01-27 03:39:26 +00:00
64878bee67
sane-sandboxed: add SANE_SANDBOX_PREPEND, SANE_SANDBOX_APPEND env vars
2024-01-26 09:14:18 +00:00
c4874c85b1
bubblewrap: debugging
2024-01-26 09:13:00 +00:00
7f002b8718
programs: sane-sandboxed: implement --sane-sandbox-cap for capabilities setting
2024-01-24 06:34:11 +00:00
824630f7d1
programs: sandboxing: document /dev/dri a bit more
2024-01-24 05:28:27 +00:00
57105c6861
sane-sandboxed: autodetect: handle file:/// URIs
2024-01-24 05:00:08 +00:00
3758044e7b
sane-sandboxed: better handle "--"
2024-01-24 04:59:24 +00:00
bfaf098c31
sane-sandboxed: fix handling of --
(which previously smushed arguments)
2024-01-24 02:52:01 +00:00
089f86d5e4
programs: make /usr/bin/env available in the sandbox
...
enables KOReader to run
2024-01-24 01:48:02 +00:00
bdd70f8fa2
sane-sandboxed: ignore the executable path when autodetecting media
2024-01-23 16:32:06 +00:00
bfd5630e21
programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths
2024-01-23 15:48:12 +00:00
576d2c32f0
programs: support secrets even when sandboxed
2024-01-23 14:57:33 +00:00
25739ec2ba
programs: sane-sandboxed: avoid reading firejail profiles when the backend isnt firejail
...
this should provide a marginal perf gain
2024-01-23 14:57:33 +00:00
f148334b58
programs: port extraFirejailConfig to extraConfig
2024-01-23 14:57:33 +00:00
3a6ee8708e
programs: sane-sandboxed: dont error if network mountpoints are offline
2024-01-23 13:13:31 +00:00
983bf93d8f
programs: sane-sandboxed: make the profile handle arguments with spaces
2024-01-23 12:47:25 +00:00
40cc8f5d1c
programs: sane-sandboxed: make more debuggable
2024-01-23 12:27:23 +00:00
cce03a5dc8
programs: sandbox: use --dev-bind-try for root paths; fixes mpv on moby
2024-01-23 12:18:32 +00:00
98dfc3aa5a
programs: sandbox: allow all programs to access media
...
hopefully this is just a stopgap
2024-01-23 11:36:58 +00:00
27b56b1a12
programs: sane-sandbox: implement a cleaner debugshell and test API
2024-01-23 11:19:52 +00:00
6e9220d2bb
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing
2024-01-23 10:44:13 +00:00
0ddcfcaa23
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds
2024-01-23 08:01:23 +00:00
a4cb6645b4
programs: indirect firejail access through sane-sandboxed
2024-01-23 04:02:31 +00:00
2492ed2ca7
programs: introduce a sane-sandboxed helper
...
not yet used, but will be soon
2024-01-23 02:29:33 +00:00
f49d2a1e0e
programs: split "makeSandboxed" into its own file
2024-01-23 01:23:14 +00:00
0dc3f4f7f2
modules/programs: move to subdir
...
this will help me factor out helpers
2024-01-23 01:02:04 +00:00
d5901afb8e
programs: firejail: specify profile via : (clarifies to firejail that its an identifier and not a path); invoke firejail via name instead of absolute path
2024-01-22 23:58:54 +00:00
8bf41ea858
programs: fix missing newline in firejail config concatenation
2024-01-22 13:11:47 +00:00
df861a3ef0
programs: firejail: inject custom firejail config through /etc/firejail
...
this improves rebuild times, and makes it easier for packages to inject their own free-form config
2024-01-22 11:12:18 +00:00
60547204a8
sane.programs: firejail: support wrapping "runCommand" packages
2024-01-22 09:16:25 +00:00
dd35136ac0
firejail: fix so /run/wrappers are available inside a jail
2024-01-22 07:18:50 +00:00
0f3f0933b1
mpv: sandbox with firejail
2024-01-22 03:50:28 +00:00
9ecd0adcbe
firefox: sandbox with firejail
...
TODO: get it so open-in-mpv launches an mpv that has access to ~/.config/mpv
i guess this is the 'firejail url problem'
2024-01-21 23:59:15 +00:00
ad92a2e158
programs: abort when no firejail profile is found for a program.
...
in the future, i can whitelist specific binaries to omit their firejail
profiles.
2024-01-21 04:32:49 +00:00
5f5891d241
programs: apply firejail profile to programs which are net isolated
2024-01-21 04:28:48 +00:00
992194a1f0
programs: achieve network sandboxing without "sane-vpn do"
2024-01-21 03:51:12 +00:00
bad6a7bfee
programs: implement "default vpn" with native nix code instead of sane-vpn
2024-01-21 01:04:31 +00:00
66d5e204be
vpn: enforce "id" restrictions
2024-01-21 00:57:46 +00:00
ce35330923
vpn.nix: factor into a proper module
...
this will allow for better integration with 'sane.programs'
2024-01-21 00:49:34 +00:00
59187a0ec0
programs: allow running binaries in a netns-style firejail
2024-01-20 11:11:12 +00:00
fd0723169f
nix-serve: fix coredump loop
2024-01-19 21:34:45 +00:00
43a8ca90a7
feeds: add Cat and Girl
2024-01-16 19:12:25 +00:00
a5c6e41622
feeds: subscribe to POD OF JAKE
2024-01-14 05:20:28 +00:00
812a02bc6b
feeds: add The Dollop podcast
2024-01-14 00:49:29 +00:00
70f059eaac
feeds: subscribe to Jack Stauber
2024-01-13 16:43:41 +00:00
e2a43ddfa0
servo: clightning: allow group members to run lightning-cli
2024-01-11 15:59:32 +00:00
cecb114810
clightning: harden
2024-01-04 18:47:40 +00:00
7378d6c5b2
bitcoind: host behind tor
2024-01-04 16:25:49 +00:00
43498c62f9
clightning: integrate with tor
2024-01-03 18:29:16 +00:00