|
d54f8b1e93
|
programs: fix so environment variables make it onto user sessions
|
2024-01-27 09:02:55 +00:00 |
|
|
27f3b2bd76
|
firefox: allow ~/tmp and ~/Pictures access
|
2024-01-27 06:00:46 +00:00 |
|
|
b417f60769
|
sane-sandboxed: try binding /proc/self in landlock. still doesnt work well
|
2024-01-27 05:59:40 +00:00 |
|
|
df2d5b6d01
|
sane-sandboxed: fixup /dev/std* for wireshark
|
2024-01-27 05:12:43 +00:00 |
|
|
3e6278fa21
|
wireshark: sandbox with landlock instead of firejail
and remove the SUID wrapper, yay!
|
2024-01-27 04:44:21 +00:00 |
|
|
a66b257644
|
sane-sandboxed: better support for landlock and SANE_SANDBOX_PREPEND/APPEND
|
2024-01-27 04:43:42 +00:00 |
|
|
ef66d2ec72
|
sane-sandboxed: add support for landlock backend
|
2024-01-27 03:39:26 +00:00 |
|
|
e21dbd507d
|
landlock-sandboxer: init
|
2024-01-26 16:52:33 +00:00 |
|
|
64878bee67
|
sane-sandboxed: add SANE_SANDBOX_PREPEND, SANE_SANDBOX_APPEND env vars
|
2024-01-26 09:14:18 +00:00 |
|
|
557a080ffc
|
TODO.md: try landlocked for sandboxing, instead of bubblewrap
|
2024-01-26 09:13:46 +00:00 |
|
|
8ecb17ed3e
|
programs: enable libcap_ng/netcap
|
2024-01-26 09:13:20 +00:00 |
|
|
c4874c85b1
|
bubblewrap: debugging
|
2024-01-26 09:13:00 +00:00 |
|
|
563a75e9b2
|
users: launch entire systemd --user namespace with cap_net_admin, cap_net_raw
this should make sandboxing wireshark *much* easier, and same with things which require net namespaces, in the future
|
2024-01-25 15:05:35 +00:00 |
|
|
7f002b8718
|
programs: sane-sandboxed: implement --sane-sandbox-cap for capabilities setting
|
2024-01-24 06:34:11 +00:00 |
|
|
79e2bd2913
|
epiphany: sandbox with bwrap
this is the first app which *requires* DRI/DRM to function correctly. maybe this effects anything webkitgtk (like wike)?
|
2024-01-24 06:25:20 +00:00 |
|
|
95161b55cd
|
spot: sandbox with bwrap
|
2024-01-24 05:47:04 +00:00 |
|
|
d91759068c
|
element-desktop: sandbox with bwrap
|
2024-01-24 05:37:46 +00:00 |
|
|
c23c496066
|
programs: tuba: sandbox with bwrap
it complains "Fontconfig error: No writable cache directories"
seeeeeveral times. not sure if that's new or not. no obvious
consequences.
|
2024-01-24 05:34:10 +00:00 |
|
|
824630f7d1
|
programs: sandboxing: document /dev/dri a bit more
|
2024-01-24 05:28:27 +00:00 |
|
|
f8e8d23857
|
vlc: sandbox with bwrap instead of firejail
|
2024-01-24 05:19:20 +00:00 |
|
|
8484bb7978
|
docs: mime: document how to show the nix mime associations
|
2024-01-24 05:00:35 +00:00 |
|
|
57105c6861
|
sane-sandboxed: autodetect: handle file:/// URIs
|
2024-01-24 05:00:08 +00:00 |
|
|
3758044e7b
|
sane-sandboxed: better handle "--"
|
2024-01-24 04:59:24 +00:00 |
|
|
bfaf098c31
|
sane-sandboxed: fix handling of -- (which previously smushed arguments)
|
2024-01-24 02:52:01 +00:00 |
|
|
0e99b296bc
|
animatch: remove the (unused) .config directory
|
2024-01-24 02:18:58 +00:00 |
|
|
089f86d5e4
|
programs: make /usr/bin/env available in the sandbox
enables KOReader to run
|
2024-01-24 01:48:02 +00:00 |
|
|
d0e1241bd1
|
animatch: fix to run on wayland w/o Xwayland, and enable bwrap sandbox
|
2024-01-24 01:43:33 +00:00 |
|
|
c1a0a08b76
|
gtkcord4: sandbox with bwrap
|
2024-01-24 00:12:12 +00:00 |
|
|
e8748ce0a0
|
servo: lemmy: pict-rs: port the media-enable-full-video -> media-video-allow-audio CLI flag
|
2024-01-23 17:12:13 +00:00 |
|
|
7cf9b342cc
|
gpodder: fixup GPODDER_DOWNLOAD_DIR to be more friendly to sandboxing
|
2024-01-23 16:44:47 +00:00 |
|
|
8739851f48
|
evince: port sandbox from firejail to bwrap
|
2024-01-23 16:44:13 +00:00 |
|
|
d945b43f6b
|
signal-desktop: switch sandbox from firejail -> bwrap
|
2024-01-23 16:42:48 +00:00 |
|
|
fcc3ea1e39
|
todo: update containerization tasks
|
2024-01-23 16:41:06 +00:00 |
|
|
7722acecee
|
sway: obtain deps via "config.sane.programs", so that i get the sandboxed version of e.g. splatmoji
|
2024-01-23 16:32:42 +00:00 |
|
|
bdd70f8fa2
|
sane-sandboxed: ignore the executable path when autodetecting media
|
2024-01-23 16:32:06 +00:00 |
|
|
571a0a9d06
|
gui: disable unused abaddon app
|
2024-01-23 16:30:06 +00:00 |
|
|
ccf4f66dd9
|
programs: dialect: sandbox with bubblewrap
|
2024-01-23 16:23:14 +00:00 |
|
|
b38e5403a5
|
splatmoji: sandbox
|
2024-01-23 16:01:27 +00:00 |
|
|
09af041745
|
g4music: ensure it can access the Music dir in its sandbox
|
2024-01-23 16:00:21 +00:00 |
|
|
cb5131746f
|
programs: audacity: sandbox with bubblewrap
|
2024-01-23 15:59:50 +00:00 |
|
|
2fbd0f8ee1
|
nixpatches: apply bonsai refactor PR
|
2024-01-23 15:50:32 +00:00 |
|
|
bfd5630e21
|
programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths
|
2024-01-23 15:48:12 +00:00 |
|
|
026f5dee4d
|
programs: g4music: sandbox with bwrap
|
2024-01-23 15:06:45 +00:00 |
|
|
b59be8338a
|
firefox: fix up sandboxing of ssh/sops
|
2024-01-23 14:57:57 +00:00 |
|
|
ab4bbc2224
|
programs: remove explicit firejail installation; let sane.programs decide when to install it sys-wide
|
2024-01-23 14:57:33 +00:00 |
|
|
156fcd1bf2
|
aerc: enable bwrap sandbox
|
2024-01-23 14:57:33 +00:00 |
|
|
576d2c32f0
|
programs: support secrets even when sandboxed
|
2024-01-23 14:57:33 +00:00 |
|
|
bb63a594ab
|
conky: fixup needed paths for bwrap
|
2024-01-23 14:57:33 +00:00 |
|
|
25739ec2ba
|
programs: sane-sandboxed: avoid reading firejail profiles when the backend isnt firejail
this should provide a marginal perf gain
|
2024-01-23 14:57:33 +00:00 |
|
|
f148334b58
|
programs: port extraFirejailConfig to extraConfig
|
2024-01-23 14:57:33 +00:00 |
|