|
42f9fa029d
|
modules/programs: fix that whitelistPwd wasnt passed into the sandbox profile
|
2024-01-28 09:04:27 +00:00 |
|
|
40fee97b06
|
modules/programs: make-sandboxed: disallowReferences to the fake sane-sandboxed used during checkPhase
|
2024-01-28 08:58:13 +00:00 |
|
|
3cc8292d8b
|
modules/programs: make-sandboxed: support packages with checkPhase by bypassing the sandbox
|
2024-01-28 07:45:08 +00:00 |
|
|
9261d30a34
|
modules/programs: reformatting
|
2024-01-28 05:58:08 +00:00 |
|
|
3eb3a8db5a
|
modules/programs: add a whitelistPwd option to grant the program access to the directory it was called from
|
2024-01-28 05:57:30 +00:00 |
|
|
97129268f0
|
modules/programs: sandbox: add "capshonly" as a valid sandbox.method
|
2024-01-28 05:57:11 +00:00 |
|
|
4d7414c941
|
programs: introduce and use "autodetectCliPaths" nix config
|
2024-01-27 17:19:48 +00:00 |
|
|
a7d081bfcb
|
modules/programs: add a sane.strictSandboxing option
|
2024-01-27 17:11:07 +00:00 |
|
|
5ca208d07f
|
modules/programs: sandbox: add enable flag and capabilities structured config
|
2024-01-27 17:08:27 +00:00 |
|
|
26b978dcf2
|
modules/programs: sandbox: fix "inline" -> "inplace" typo
|
2024-01-27 14:42:25 +00:00 |
|
|
d8b6d419b6
|
modules/programs: sandboxing: add wrapperType = "wrappedDerivation" to wrap without rebuilding the whole package
|
2024-01-27 14:26:41 +00:00 |
|
|
a06c81643c
|
sane-sandboxed: don't error if ~ files aren't available to be bound
|
2024-01-27 12:48:58 +00:00 |
|
|
15fd7bf4a5
|
sane-sandboxed: implement a "capshonly" backend
|
2024-01-27 12:39:36 +00:00 |
|
|
a6b824d3c4
|
modules/programs/sandbox: add an "embedProfile" option to source sandbox settings from the package instead of the system
|
2024-01-27 12:23:25 +00:00 |
|
|
3b4884fcf1
|
sane-sandbox: fix secret binding
|
2024-01-27 11:26:10 +00:00 |
|
|
4319dc58eb
|
programs: landlock: restrict the capabilities of sandboxed processes
|
2024-01-27 09:49:51 +00:00 |
|
|
3122434908
|
programs: add an option to configure extra home paths to make accessible in the sandbox
|
2024-01-27 09:11:32 +00:00 |
|
|
d54f8b1e93
|
programs: fix so environment variables make it onto user sessions
|
2024-01-27 09:02:55 +00:00 |
|
|
b417f60769
|
sane-sandboxed: try binding /proc/self in landlock. still doesnt work well
|
2024-01-27 05:59:40 +00:00 |
|
|
df2d5b6d01
|
sane-sandboxed: fixup /dev/std* for wireshark
|
2024-01-27 05:12:43 +00:00 |
|
|
a66b257644
|
sane-sandboxed: better support for landlock and SANE_SANDBOX_PREPEND/APPEND
|
2024-01-27 04:43:42 +00:00 |
|
|
ef66d2ec72
|
sane-sandboxed: add support for landlock backend
|
2024-01-27 03:39:26 +00:00 |
|
|
64878bee67
|
sane-sandboxed: add SANE_SANDBOX_PREPEND, SANE_SANDBOX_APPEND env vars
|
2024-01-26 09:14:18 +00:00 |
|
|
c4874c85b1
|
bubblewrap: debugging
|
2024-01-26 09:13:00 +00:00 |
|
|
7f002b8718
|
programs: sane-sandboxed: implement --sane-sandbox-cap for capabilities setting
|
2024-01-24 06:34:11 +00:00 |
|
|
824630f7d1
|
programs: sandboxing: document /dev/dri a bit more
|
2024-01-24 05:28:27 +00:00 |
|
|
57105c6861
|
sane-sandboxed: autodetect: handle file:/// URIs
|
2024-01-24 05:00:08 +00:00 |
|
|
3758044e7b
|
sane-sandboxed: better handle "--"
|
2024-01-24 04:59:24 +00:00 |
|
|
bfaf098c31
|
sane-sandboxed: fix handling of -- (which previously smushed arguments)
|
2024-01-24 02:52:01 +00:00 |
|
|
089f86d5e4
|
programs: make /usr/bin/env available in the sandbox
enables KOReader to run
|
2024-01-24 01:48:02 +00:00 |
|
|
bdd70f8fa2
|
sane-sandboxed: ignore the executable path when autodetecting media
|
2024-01-23 16:32:06 +00:00 |
|
|
bfd5630e21
|
programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths
|
2024-01-23 15:48:12 +00:00 |
|
|
576d2c32f0
|
programs: support secrets even when sandboxed
|
2024-01-23 14:57:33 +00:00 |
|
|
25739ec2ba
|
programs: sane-sandboxed: avoid reading firejail profiles when the backend isnt firejail
this should provide a marginal perf gain
|
2024-01-23 14:57:33 +00:00 |
|
|
f148334b58
|
programs: port extraFirejailConfig to extraConfig
|
2024-01-23 14:57:33 +00:00 |
|
|
3a6ee8708e
|
programs: sane-sandboxed: dont error if network mountpoints are offline
|
2024-01-23 13:13:31 +00:00 |
|
|
983bf93d8f
|
programs: sane-sandboxed: make the profile handle arguments with spaces
|
2024-01-23 12:47:25 +00:00 |
|
|
40cc8f5d1c
|
programs: sane-sandboxed: make more debuggable
|
2024-01-23 12:27:23 +00:00 |
|
|
cce03a5dc8
|
programs: sandbox: use --dev-bind-try for root paths; fixes mpv on moby
|
2024-01-23 12:18:32 +00:00 |
|
|
98dfc3aa5a
|
programs: sandbox: allow all programs to access media
hopefully this is just a stopgap
|
2024-01-23 11:36:58 +00:00 |
|
|
27b56b1a12
|
programs: sane-sandbox: implement a cleaner debugshell and test API
|
2024-01-23 11:19:52 +00:00 |
|
|
6e9220d2bb
|
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing
|
2024-01-23 10:44:13 +00:00 |
|
|
0ddcfcaa23
|
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds
|
2024-01-23 08:01:23 +00:00 |
|
|
a4cb6645b4
|
programs: indirect firejail access through sane-sandboxed
|
2024-01-23 04:02:31 +00:00 |
|
|
2492ed2ca7
|
programs: introduce a sane-sandboxed helper
not yet used, but will be soon
|
2024-01-23 02:29:33 +00:00 |
|
|
f49d2a1e0e
|
programs: split "makeSandboxed" into its own file
|
2024-01-23 01:23:14 +00:00 |
|
|
0dc3f4f7f2
|
modules/programs: move to subdir
this will help me factor out helpers
|
2024-01-23 01:02:04 +00:00 |
|
|
d5901afb8e
|
programs: firejail: specify profile via : (clarifies to firejail that its an identifier and not a path); invoke firejail via name instead of absolute path
|
2024-01-22 23:58:54 +00:00 |
|
|
8bf41ea858
|
programs: fix missing newline in firejail config concatenation
|
2024-01-22 13:11:47 +00:00 |
|
|
df861a3ef0
|
programs: firejail: inject custom firejail config through /etc/firejail
this improves rebuild times, and makes it easier for packages to inject their own free-form config
|
2024-01-22 11:12:18 +00:00 |
|