|
f2e1bb6b86
|
programs: python3-repl: sandbox
|
2024-02-25 18:52:55 +00:00 |
|
|
fe0f6988bd
|
programs: disable wine (unused)
|
2024-02-25 18:42:25 +00:00 |
|
|
c402a265cd
|
programs: stepmania: sandbox
|
2024-02-25 18:26:32 +00:00 |
|
|
d5643a6a5d
|
assorted static-nix-shell packages: use srcRoot
|
2024-02-25 17:37:38 +00:00 |
|
|
e757e35065
|
static-nix-shell: add a srcRoot argument which allows more precisely specifying the source files and avoiding unnecessary rebuilds
|
2024-02-25 17:37:10 +00:00 |
|
|
953dd98b0f
|
refactor: static-nix-shell: remove unused options
|
2024-02-25 17:28:00 +00:00 |
|
|
c9c1181242
|
programs: wireplumber: sandbox
|
2024-02-25 17:11:48 +00:00 |
|
|
f9888fe8d6
|
programs: sane-private-init: sandbox
|
2024-02-25 16:46:10 +00:00 |
|
|
036145e6ba
|
programs: sane-private-change-passwd: sandbox
note that this is entirely untested
|
2024-02-25 16:35:13 +00:00 |
|
|
5b647a1a90
|
programs: sane-private-change-passwd: rewrite based on how my system looks today
i haven't tested this
|
2024-02-25 16:28:57 +00:00 |
|
|
7c486492c8
|
programs: pipewire: port sandbox to bwrap and restrict further
|
2024-02-25 15:19:57 +00:00 |
|
|
890b41f563
|
programs: pipewire: sandbox
still need to sandbox wireplumber
|
2024-02-25 14:34:11 +00:00 |
|
|
ca36fe1b96
|
programs: gnome.seahorse: sandbox
|
2024-02-25 12:03:42 +00:00 |
|
|
d2df668c9e
|
modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts>
|
2024-02-25 12:00:00 +00:00 |
|
|
b7921ac41b
|
refactor: programs: sort
|
2024-02-25 11:53:49 +00:00 |
|
|
c304367e21
|
programs: gnome-maps: sandbox
|
2024-02-25 11:51:50 +00:00 |
|
|
2ad33a49df
|
refactor: pipewire: remove dead code
|
2024-02-25 10:38:42 +00:00 |
|
|
0b4efd2ab2
|
pipewire: migrate services to sane.programs to completely disable socket activation
see: https://github.com/NixOS/nixpkgs/issues/291318
|
2024-02-25 10:36:21 +00:00 |
|
|
0745e9fc06
|
refactor: programs: split gnome-maps into own file
|
2024-02-25 09:06:32 +00:00 |
|
|
e0267b5669
|
programs: pipewire: disable socket activation
|
2024-02-25 08:55:59 +00:00 |
|
|
b3c7aac8c5
|
programs: wike: sandbox: enable DRI to fix graphical glitches
|
2024-02-25 08:38:10 +00:00 |
|
|
c788596c45
|
programs: sane-private-do: grant net access
crucial for e.g. sane-private-do git push
|
2024-02-25 08:25:13 +00:00 |
|
|
f807d7c0a2
|
modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
|
2024-02-25 08:15:39 +00:00 |
|
|
6ab5dd8a8f
|
modules/persist: ensure that the mountpoint for the private store is created at boot
|
2024-02-25 07:51:24 +00:00 |
|
|
52b8cd0209
|
modules/persist: ensure backing directory is created *before* we mount
|
2024-02-25 07:22:50 +00:00 |
|
|
6865331b48
|
programs: sandbox sane-scripts.private-do
|
2024-02-25 05:41:27 +00:00 |
|
|
dd00a2fe6e
|
sane-private-do: run a shell by default, and leave the mount in its original state on exit
|
2024-02-25 05:41:27 +00:00 |
|
|
4ee02151f4
|
sane-private-{lock,unlock}: just defer to mount
|
2024-02-25 05:19:44 +00:00 |
|
|
00bf2f79cc
|
ssh: clean up /etc/ssh/host_keys persistence
|
2024-02-25 05:19:44 +00:00 |
|
|
04a6055d06
|
remove /libexec from environment.pathsToLink
|
2024-02-25 05:12:44 +00:00 |
|
|
15a7793f0d
|
bonsai: 1.0.2 -> 1.1.0
|
2024-02-25 01:59:01 +00:00 |
|
|
f714bd8281
|
programs: jq: sandbox
|
2024-02-25 01:59:01 +00:00 |
|
|
73b2594d9b
|
programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent"
|
2024-02-25 01:59:01 +00:00 |
|
|
a55dc5332d
|
modules/programs: sane-sandboxed: introduce "existingOrParent" autodetect-cli option
some programs will want this, to create directories by name; e.g. archive managers
|
2024-02-25 01:48:10 +00:00 |
|
|
86108518da
|
modules/programs: sane-sandboxed: add a new "existingFile" option for the cli autodetect
|
2024-02-25 01:43:39 +00:00 |
|
|
0f1ad0f3c9
|
fs: auto-mount /mnt/<host>/home and enable "follow_symlinks" option
|
2024-02-24 16:04:04 +00:00 |
|
|
bcd7a6f646
|
nixpkgs: 2024-02-22 -> 2024-02-24
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/024149d718e25378f4decfeeb614b88208c2f700' (2024-02-22)
→ 'github:nixos/nixpkgs/a3e2b0de906a8fe0143c2783199abdc132dee56a' (2024-02-24)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/a7fa133a1e973c127e9c83e2c8e3407ae3797099' (2024-02-22)
→ 'github:nixos/nixpkgs/b66514c14e85cd7d853d6dbbf1a421ba232eff10' (2024-02-24)
```
|
2024-02-24 12:21:27 +00:00 |
|
|
92c2eb8383
|
nixpatches: update the icu cross fix
|
2024-02-24 12:14:29 +00:00 |
|
|
879d01ac2e
|
modules/ssh: note that theres a better store to place the ssh host_keys in
|
2024-02-24 12:14:14 +00:00 |
|
|
0448df51e3
|
modules/programs: sane-sandboxed: add a --sane-sandbox-dry-run flag
|
2024-02-24 12:00:58 +00:00 |
|
|
8e3eed7d51
|
modules/programs: sane-sandboxed: factor out the actual execution of the sandbox/program into the toplevel
this will make it easier to intercept
|
2024-02-24 11:57:42 +00:00 |
|
|
88a70b41f1
|
modules/programs: handle more symlink forms when calculating a program's sandbox closure
|
2024-02-24 11:47:39 +00:00 |
|
|
6f59254a22
|
modules/programs: fix symlink following
|
2024-02-24 05:36:44 +00:00 |
|
|
4023960dc0
|
README: MANUAL MIGRATION: move "plaintext" store to /nix/persist/plaintext
to migrate the data:
```sh
$ sudo mkdir /nix/persist/plaintext
$ sudo mv /nix/persist/{etc,home,var} /nix/persist/plaintext
$ sudo ln -s plaintext/etc /nix/persist/etc #< temporarily; if deploying over ssh
$ switch
$ reboot
$ sudo rm /nix/persist/etc #< if you did the symlink earlier
```
|
2024-02-23 18:02:17 +00:00 |
|
|
fff9f9d49a
|
README: MANUAL MIGRATION: move "private" store to /nix/persist/private
to migrate the data, first unmount `~/private` (`sane-private-lock`), then:
```sh
$ sudo mv /nix/persist/home/colin/private /nix/persist
$ switch
$ reboot
```
|
2024-02-23 16:01:09 +00:00 |
|
|
eecb98e2ee
|
programs: bonsai: fix eval error
|
2024-02-23 16:00:32 +00:00 |
|
|
5838603953
|
programs: sane-private-unlock: unbreak
it still doesn't work inside a sandbox, because 'mount' requires suid
|
2024-02-23 15:59:56 +00:00 |
|
|
c6ebcfe66e
|
servo: port legacy /var/lib users over to "method = bind" persistence
i may wittle these down in the future
|
2024-02-23 15:49:54 +00:00 |
|
|
d7402ae170
|
persist: stores: make naming more consistent
|
2024-02-23 14:57:20 +00:00 |
|
|
bd7ca20361
|
desko: fs: remove dead code
|
2024-02-23 14:45:57 +00:00 |
|