4e5e4219ec
programs: usbutils: sandbox
2024-02-16 04:03:47 +00:00
824dd7c1f5
programs: endless-sky: sandbox with bwrap
2024-02-16 04:00:27 +00:00
b840a0d61c
programs: space-cadet-pinball: sandbox w/ bwrap
2024-02-16 03:58:09 +00:00
36bcecfd68
programs: sort
2024-02-16 03:53:53 +00:00
c3a5fb9394
programs: wdisplays: sandbox with bwrap
2024-02-16 03:53:27 +00:00
30507c3564
programs: soundconverter: sandbox with bwrap
2024-02-16 03:51:23 +00:00
2b66ffc58a
programs: feedbackd: sandbox w/ bwrap
2024-02-16 03:49:59 +00:00
48d96c1f36
programs: hase: sandbox with bwrap
...
couldn't test the net feature, because hase servers have since gone
offline :((
2024-02-16 03:48:59 +00:00
cdf61755a3
programs: splatmoji: document the sandboxing approach
2024-02-16 03:46:48 +00:00
511752fab5
programs: xdg-desktop-portal{-gtk,-wlr}: enable sandbox
2024-02-16 03:17:19 +00:00
40ed7cff1b
programs: git: fix failing sandbox build
2024-02-16 03:16:46 +00:00
5e7f914354
programs: superTux: fix failing sandbox build
2024-02-16 03:16:28 +00:00
0dec8b6d5b
programs: fontconfig: sandbox
2024-02-15 18:26:45 +00:00
7eaffc9fa0
programs: w3m: enable sandbox
2024-02-15 18:25:48 +00:00
b7c1a6331d
programs: mate.engrampa: enable sandbox
2024-02-15 18:24:27 +00:00
d6868d58e6
xdg-desktop-portal: disable sandbox
2024-02-15 18:23:40 +00:00
52d768a162
programs: xterm: mark as not needing a sandbox
2024-02-15 17:26:55 +00:00
7a685d8de9
programs: inkscape: sandbox with bwrap
2024-02-15 17:26:37 +00:00
838c6d7dc8
programs: swaync: sandbox
2024-02-15 16:38:38 +00:00
9d706df5b5
programs: waybar: narrow the /run/user paths to just sway-ipc.sock
2024-02-15 14:40:01 +00:00
24d23f7903
programs: bemenu: fix sandboxing
2024-02-15 14:33:20 +00:00
5090c4e88c
sway: define without using nixos "programs.sway"
...
motivation was to leverage 'sane.programs.sway.env' to statically configure SWAYSOCK. i think that's still the right way: we'll see
2024-02-15 14:25:27 +00:00
081114da65
programs: waybar: sandbox in a way that works well for moby too
2024-02-15 13:16:18 +00:00
02b7586ffa
programs: komikku: add dbus to the sandbox to fix it
2024-02-15 11:58:08 +00:00
25dcb7f89a
programs: open-in-mpv: document that upstream merged my PR
2024-02-15 11:38:37 +00:00
88f1d63b6e
firefox: properly integrate xdg-desktop-portal for opening media
2024-02-15 11:36:50 +00:00
d36e269edd
programs: loupe: remove the dbus services to make it work with Firefox
2024-02-15 11:36:24 +00:00
582a003739
programs: waybar: fix battery indicator within sandbox
2024-02-15 10:35:24 +00:00
df60be8c61
open-in-mpv: sandbox with bwrap
2024-02-15 09:49:03 +00:00
e8b4c36442
programs: nautilus: specify inode/directory mime association
2024-02-15 09:48:26 +00:00
2f699737f5
firefox: fix open-in-mpv integration
...
two parts: add open-in-mpv's config to firefox's sandbox; patch open-in-mpv to forward to xdg-open
2024-02-15 09:14:57 +00:00
4a3d24be3f
waybar: migrate all config to "sane.programs"
2024-02-15 07:18:12 +00:00
10feb319fe
sway: lift waybar to own file and sandbox it
2024-02-15 02:33:40 +00:00
b2fcf6fdfd
programs: messengers (fractal, signal, dino, tuba): add media libraries to the sandbox
2024-02-15 00:49:24 +00:00
dcc2eb265d
programs: re-enable sandbox for tumiki-fighters and losslesscut (X applications)
2024-02-15 00:09:40 +00:00
518c3afd07
programs: sandbox: disable losslesscut/tumiki-fighters sandbox until i can figure out Xwayland
2024-02-14 14:37:59 +00:00
90dee85664
programs: sort alphabetically
2024-02-14 14:28:22 +00:00
26fc283fd9
programs: losslesscut: sandbox
2024-02-14 14:26:56 +00:00
d0430ce1e9
programs: pavucontrol/pwvucontrol: enable audio devices inside the sandbox
2024-02-14 14:26:56 +00:00
368a52b91e
programs: speedtest-cli: sandbox with bwrap
2024-02-14 14:26:56 +00:00
d90dacee1f
programs: grimshot: sandbox with bwrap
2024-02-14 14:17:41 +00:00
a6e2b3bc5c
programs: xdg-terminal-exec: disable sandbox
2024-02-14 14:11:35 +00:00
8863a3c674
programs: wob: sandbox with bwrap
2024-02-14 14:10:20 +00:00
fa8d6dbb9f
programs: wob: fix config substitution
2024-02-14 14:04:54 +00:00
e5e79a6b60
programs: FileMimeInfo: disable sandbox
2024-02-14 13:54:21 +00:00
95f7eeeb5c
programs: libnotify: sandbox with bwrap
2024-02-14 13:49:48 +00:00
29d638c68b
programs: dig: sandbox with bwrap
2024-02-14 13:47:44 +00:00
7d22a5466f
programs: zsh: fix "switch" function to be friendly to sandboxing
2024-02-14 13:45:56 +00:00
5907d9fa42
Revert "xdg-desktop-portal-gtk: build without support for notifications"
...
This reverts commit c9e02bfd8a
.
disable notifications at this level did not cause fractal (gtk app) to
send its notifications to swaync. instead, it still tried to deliver to
the Portal, where the Portal wasn't expecting anything and just returned
an error to fractal.
setting `GNOTIFICATION_BACKEND = "freedesktop"` seems to be the correct
way to get gtk apps to behave as desired with their notifications.
2024-02-14 11:09:37 +00:00
67fe8d4666
swaync: propagate GNOTIFICATION_BACKEND = "freedesktop"
to all users
2024-02-14 11:09:20 +00:00
c9e02bfd8a
xdg-desktop-portal-gtk: build without support for notifications
2024-02-14 10:51:18 +00:00
03b58b3cab
programs: vim: support system copy/paste inside of sandbox
2024-02-14 09:11:31 +00:00
ae01c17c05
programs: splatmoji: fix to work inside a sandbox again
2024-02-14 09:11:12 +00:00
677e6e679b
programs: sandbox {s,}waylock lockscreen
2024-02-14 08:48:03 +00:00
3eb47a9a8d
programs: swaylock: *partially* sandbox with capsh
2024-02-14 05:46:36 +00:00
f11e443678
programs: waylock: *partially* sandbox with capsh
2024-02-14 05:46:28 +00:00
8f8ec090c4
programs: add "waylock"
2024-02-14 05:01:33 +00:00
e174eaeff0
programs: loupe: fix sandboxing
2024-02-14 04:32:10 +00:00
f12b7afa1e
programs: mimeo: dont sandbox
2024-02-14 01:51:26 +00:00
080bd856ec
programs: sandboxing: only permit wayland socket access to those specific apps which require it
2024-02-14 01:49:49 +00:00
2d7c5b9fa5
programs: mpv: explicitly add Videos/servo, Books/servo to sandbox
2024-02-13 15:38:57 +00:00
83cb29aeeb
xdg-utils: re-add mimetype
package
2024-02-13 12:31:04 +00:00
1a18ed533b
programs: don't include dbus in the sandbox by default
2024-02-13 11:58:33 +00:00
18eec98cae
programs: brightnessctl: switch to landlock
2024-02-13 11:58:33 +00:00
82c386a6a4
programs: tor-browser-bundle-bin -> tor-browser
...
they're the same (aliased), only my programs API expects 'tor-browser' specifically
2024-02-13 11:58:33 +00:00
634dc318cd
programs: spotify: remove old/unused firejail config
2024-02-13 11:15:30 +00:00
6eaaeeb91a
programs: remove audio from the sandbox by default
2024-02-13 11:14:38 +00:00
94be4a7551
programs: wob: fix service definition (Exec -> ExecStart)
2024-02-13 11:03:18 +00:00
b4a20da78a
programs: brightnessctl: sandbox
2024-02-13 10:55:44 +00:00
bb68506839
modules/programs: add separate "user" v.s. "system" options for whitelistDbus
2024-02-13 10:55:10 +00:00
77e2af0ed9
programs: krita: enable sandbox
2024-02-13 10:36:42 +00:00
126f3e4922
programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default
2024-02-13 10:28:30 +00:00
371af5939e
programs: mpv: tighten the /run/user portion of the sandbox
2024-02-12 15:24:07 +00:00
e94e338040
programs: handbrake: remove unneeded Pictures/servo-macros from sandbox
2024-02-12 12:54:41 +00:00
354ce378f6
programs: assorted: convert /mnt/servo "extraPaths" into "extraHomePaths" where possible
2024-02-12 12:54:16 +00:00
f9a998eb92
programs: koreader: remove "sandbox.embedProfile = true"
...
i guess this was set while i was debugging
2024-02-12 11:33:55 +00:00
1e05119adc
mpv: fix loading of album art within sandbox
2024-02-12 08:59:46 +00:00
e81df0ac86
modules/programs: enforce that user services don't accidentally override PATH
2024-02-12 08:44:55 +00:00
b19492ba23
programs: mpv: add .config/mpv to sandbox paths
2024-02-12 08:26:51 +00:00
8b26fa1303
programs: wob: split the script into an actual package
2024-02-12 08:26:51 +00:00
6b3a71aadf
programs: xdg-desktop-portal: dont show app chooser for apps which are the default association
2024-02-12 07:12:04 +00:00
66ca822ac1
remove xdg-desktop-portal-gtk service; xdg-desktop-portal knows how to start that itself
2024-02-12 01:33:34 +00:00
db7a414030
xdg-desktop-portal(s): dont install globally
2024-02-12 01:16:17 +00:00
87050a0500
feeds: add "FullTimeNix" podcast :)
2024-02-12 00:09:49 +00:00
bf53e3628a
xdg-utils: cleanup
2024-02-11 23:57:50 +00:00
d35f938806
mime.nix: fix cross build
2024-02-11 23:44:55 +00:00
d719eb0f11
programs: gPodder: enable Videos/gPodder in sandbox
2024-02-11 23:37:16 +00:00
0fbc10fce3
mime: store mime associations in ~/.local/share/applications instead of /run/current-system/sw/share/applications to facilitate sandboxing
2024-02-11 23:31:43 +00:00
772f1070e7
xdg-desktop-portal: configure myself, to unblock future portal-related work
2024-02-11 23:29:07 +00:00
590a239f7d
programs: gpodder: sandbox with bwrap
...
which we can do, now that xdg-open works correctly within sandboxes
2024-02-09 10:31:42 +00:00
bcbc57f5ef
programs: get xdg-open to work from within sandboxes
...
note that implementation may have a quirk that applications launched via the portal cannot themselves "xdg-open" through the portal, because of the environment variable manipulation.
not sure how best to address that.
2024-02-09 10:27:30 +00:00
c9af5bf9b4
programs: sandboxing: enable net isolation for most sandboxed programs
2024-02-08 21:51:32 +00:00
f6ca6210f9
feeds: link to podcastindex.org
2024-02-07 21:47:19 +00:00
0c050d1953
programs: fuzzel: fix overly-aggressive sandboxing
2024-02-06 20:10:29 +00:00
2fc1fe7510
modules/programs: make-sandboxed: fix that /share/* was being linked into top-level /; better way to enforce sandboxing of /share entries
2024-02-06 19:55:55 +00:00
5fbf66fb15
programs: loupe: sandbox with bwrap
2024-02-06 06:05:32 +00:00
97d50629e9
programs: handbrake: sandbox with landlock
2024-02-06 05:48:54 +00:00
5f8699fcef
rearrange /mnt structure for host-based subdirs
...
e.g. /mnt/servo/media, /mnt/desko/home, etc
2024-02-06 05:48:11 +00:00
5ff7bf0c69
programs: fuzzel: sandbox
2024-02-06 02:34:46 +00:00
2495200b67
tidy: programs: wget: remove warning about the sandbox being untested
2024-02-06 01:34:40 +00:00
4c499629f5
programs: vvvvvv: sandbox with bwrap
2024-02-06 01:34:04 +00:00
7b9f54dd54
programs: superTux: sandbox with bwrap
2024-02-06 01:16:36 +00:00
bda932c3df
programs: supertuxkart: sandbox with bwrap
2024-02-06 01:10:39 +00:00
1c4e2f97fe
swaylock: mark sandboxing as unsupported
2024-02-05 23:36:35 +00:00
594a729968
feeds: remove balaji
2024-02-05 22:48:09 +00:00
6eb2a3d67f
programs: handbrake: sandbox with bwrap
2024-02-05 22:28:15 +00:00
ddc41bc9d8
programs: pavucontrol/pwvucontrol: sandbox with bwrap
2024-02-05 22:15:48 +00:00
7d833ebf76
programs: kdenlive: sandbox with bwrap
2024-02-05 22:07:37 +00:00
bfc0eadfaa
programs: hitori: sandbox with bwrap
2024-02-05 21:52:57 +00:00
ff1cbcc16b
programs: gnome-clocks,gnome-calendar: sandbox with bwrap
2024-02-05 21:46:27 +00:00
9a8d8a20bd
programs: frozen-bubble: persist data and sandbox with bwrap
2024-02-05 21:32:58 +00:00
cd1d22e7b9
programs: gnome-calculator: sandbox with bwrap
2024-02-05 20:58:38 +00:00
2c0e93826d
programs: gimp: sandbox with bwrap
2024-02-05 20:53:05 +00:00
cab346f3ad
programs: delfin: sandbox with bwrap
2024-02-05 20:44:47 +00:00
a2decaff9c
programs: bemenu: sandbox with landlock
2024-02-05 18:41:52 +00:00
8ef9f7a485
epiphany: persist dconf settings; reduce sandboxer errors
2024-02-05 18:31:38 +00:00
12846732b9
programs: blanket: sandbox with bwrap
2024-02-05 18:26:21 +00:00
e84079e84c
programs: firefox: allow sandbox access to ~/dev
2024-02-05 18:17:49 +00:00
45ffd9246d
programs: brave: sandbox with bwrap
2024-02-05 18:17:28 +00:00
ed3935318d
feeds: subscribe to non-paywalled Matt Levine
2024-02-05 16:41:38 +00:00
6d1eae2200
programs: gnome-2048: sandbox with bwrap
2024-02-05 08:26:06 +00:00
293eab8225
koreader: use modern openssl
2024-02-04 20:05:02 +00:00
abdbb83e10
koreader: replace vendored dependencies with their nixpkgs equivalents much more effectively
...
the old method was still causing everything to be re-compiled within koreader, rather than linking against the nix store.
decreases build time to about 3m on a desktop
2024-02-04 19:39:32 +00:00
dc74bca06a
programs: vim: add private/knowledge to sandbox
2024-02-03 23:53:53 +00:00
42523b75a8
programs: gdb: disable sandboxing
2024-02-03 23:53:34 +00:00
111946eb1d
programs: vim, imagemagick: fix sandboxing to consider uncreated files
2024-02-03 14:07:53 +00:00
14b20fd9c2
programs: komikku: fix sandboxing
2024-02-03 00:52:17 +00:00
2df1b20f02
programs: epiphany: simplify the sandboxing
2024-02-03 00:44:23 +00:00
2f9fad503c
programs: fix sandboxing errors for programs which create files (notably: ffmpeg)
2024-02-03 00:17:54 +00:00
56734fe5da
mpv: add /dev/dri to the sandbox
2024-02-02 19:18:30 +00:00
3c96f6d418
programs: koreader: enable DRI in the sandbox, and use wrappedDerivation
2024-02-02 17:22:57 +00:00
86b23e8183
programs: fractal: enable DRI in sandbox
2024-02-02 17:19:35 +00:00
6151eee8d5
programs (assorted): fix wantedBy = "default.target" to be more specific
...
now GUI apps aren't stuck in a restart loop until sway starts
in particular, signal-desktop can actually be autostarted
2024-02-02 14:21:57 +00:00
2824671bde
tune nix deploy parameters (specifically for moby)
...
this is experimental; hard to understand immediately how significant are the effects
2024-02-02 00:50:25 +00:00
efcaef2c35
lappy/desko/servo: downgrade kernel 6.7 -> 6.6 (latest supported by zfs)
2024-02-01 16:21:46 +00:00
3100189172
purge supercap
...
i no longer have access to dispatch build jobs to it :((((
2024-02-01 15:36:37 +00:00
715ac42f13
remove samba from closure
...
current samba hangs during configurePhase. this is not the first time samba has failed to build. nor the third. purge it.
2024-02-01 15:28:40 +00:00
a9810e7343
re-ship linux 6.7 to lappy/desko/servo
...
now that landlock-sandboxer builds against the correct linux headers,
this can actually work.
2024-02-01 13:54:44 +00:00
00f995aec9
fixup landlock-sandboxer to work well for all systems
...
downgrade lappy/desko/servo back to default linux; zfs doesn't support latest
build landlock-sandboxer against the specific kernel being deployed; it's less noisy that way
2024-01-31 21:19:10 +00:00
368eb2c29b
programs: git: whitelist more repo roots
2024-01-31 21:17:48 +00:00
5f793523d1
ship linux 6.7 to lappy/desko/servo
2024-01-31 20:33:15 +00:00
30288cd67f
user: add CAP_NET_ADMIN,CAP_NET_RAW even outside of systemd session
...
in fact, *only* outside of systemd session because they broke ambient caps in 255
2024-01-31 15:42:43 +00:00
8736ca478b
programs: firefox: allow access to servo image-macros
2024-01-31 15:36:09 +00:00
cb3960fb21
programs: git: fix access to ~/private/knowledge
2024-01-31 15:35:21 +00:00
6e24a1ff28
programs: re-enable sops
2024-01-31 15:30:15 +00:00
f5c88853ee
sway: replace "greetd" with "unl0kr"-based login process
2024-01-31 15:20:27 +00:00
0009e5ca4c
programs: sandboxing: use wrapperType="wrappedDerivation" where applicable
2024-01-29 15:21:16 +00:00
db6ba61429
programs: sandbox more apps with wrapperType=wrappedDerivation
2024-01-29 13:45:57 +00:00
d3f7a036ce
ripgrep: move options out of assorted.nix into its own file
2024-01-29 12:57:56 +00:00
0454abacd9
komikku: sandbox
2024-01-29 12:56:08 +00:00