colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
4,761 Commits 125 Branches 1 Tag 12 MiB
4ee2562202
Commit Graph

1960 Commits

Author SHA1 Message Date
Colin
4ee2562202 programs: tidy: prefer "sandbox.extraHomePaths" over "fs" for external deps 2024-01-27 14:54:17 +00:00
Colin
08b1ece56e programs: gnome-weather: sandbox with bwrap 2024-01-27 14:53:38 +00:00
Colin
b22c2e094c koreader: sandbox with bwrap 2024-01-27 14:39:22 +00:00
Colin
b40775f97c koreader-from-src: document FTP configuration 2024-01-27 14:39:02 +00:00
Colin
100ddad40e wike: link to issue about state directory 2024-01-27 14:27:02 +00:00
Colin
1bde38bf72 cozy: sandbox with bwrap 2024-01-27 13:11:22 +00:00
Colin
0a25ef544f wike: sandbox with bwrap 2024-01-27 12:29:58 +00:00
Colin
79ee47bada firefox: get away with linking slightly less into the sandbox 2024-01-27 11:41:18 +00:00
Colin
be06e61bfb programs: geary: fix sandboxing 
this is an UGLY one. geary itself uses bwrap, and that fails if it's sandboxed AT ALL in landlock (i.e. even with just / landlocked as RW).

maybe this has to do with what landlock-sandboxer considers 'read/write' to be, and there's actually more file ops i need to enable on /
 2024-01-27 11:28:08 +00:00
Colin
dae7785ee2 wireshark: remove dead code 2024-01-27 09:04:08 +00:00
Colin
27f3b2bd76 firefox: allow ~/tmp and ~/Pictures access 2024-01-27 06:00:46 +00:00
Colin
3e6278fa21 wireshark: sandbox with landlock instead of firejail 
and remove the SUID wrapper, yay!
 2024-01-27 04:44:21 +00:00
Colin
8ecb17ed3e programs: enable libcap_ng/netcap 2024-01-26 09:13:20 +00:00
Colin
c4874c85b1 bubblewrap: debugging 2024-01-26 09:13:00 +00:00
Colin
563a75e9b2 users: launch entire systemd --user namespace with cap_net_admin, cap_net_raw 
this should make sandboxing wireshark *much* easier, and same with things which require net namespaces, in the future
 2024-01-25 15:05:35 +00:00
Colin
79e2bd2913 epiphany: sandbox with bwrap 
this is the first app which *requires* DRI/DRM to function correctly. maybe this effects anything webkitgtk (like wike)?
 2024-01-24 06:25:20 +00:00
Colin
95161b55cd spot: sandbox with bwrap 2024-01-24 05:47:04 +00:00
Colin
d91759068c element-desktop: sandbox with bwrap 2024-01-24 05:37:46 +00:00
Colin
c23c496066 programs: tuba: sandbox with bwrap 
it complains "Fontconfig error: No writable cache directories"
seeeeeveral times. not sure if that's new or not. no obvious
consequences.
 2024-01-24 05:34:10 +00:00
Colin
f8e8d23857 vlc: sandbox with bwrap instead of firejail 2024-01-24 05:19:20 +00:00
Colin
8484bb7978 docs: mime: document how to show the nix mime associations 2024-01-24 05:00:35 +00:00
Colin
0e99b296bc animatch: remove the (unused) .config directory 2024-01-24 02:18:58 +00:00
Colin
d0e1241bd1 animatch: fix to run on wayland w/o Xwayland, and enable bwrap sandbox 2024-01-24 01:43:33 +00:00
Colin
c1a0a08b76 gtkcord4: sandbox with bwrap 2024-01-24 00:12:12 +00:00
Colin
e8748ce0a0 servo: lemmy: pict-rs: port the media-enable-full-video -> media-video-allow-audio CLI flag 2024-01-23 17:12:13 +00:00
Colin
7cf9b342cc gpodder: fixup GPODDER_DOWNLOAD_DIR to be more friendly to sandboxing 2024-01-23 16:44:47 +00:00
Colin
8739851f48 evince: port sandbox from firejail to bwrap 2024-01-23 16:44:13 +00:00
Colin
d945b43f6b signal-desktop: switch sandbox from firejail -> bwrap 2024-01-23 16:42:48 +00:00
Colin
7722acecee sway: obtain deps via "config.sane.programs", so that i get the sandboxed version of e.g. splatmoji 2024-01-23 16:32:42 +00:00
Colin
571a0a9d06 gui: disable unused abaddon app 2024-01-23 16:30:06 +00:00
Colin
ccf4f66dd9 programs: dialect: sandbox with bubblewrap 2024-01-23 16:23:14 +00:00
Colin
b38e5403a5 splatmoji: sandbox 2024-01-23 16:01:27 +00:00
Colin
09af041745 g4music: ensure it can access the Music dir in its sandbox 2024-01-23 16:00:21 +00:00
Colin
cb5131746f programs: audacity: sandbox with bubblewrap 2024-01-23 15:59:50 +00:00
Colin
bfd5630e21 programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths 2024-01-23 15:48:12 +00:00
Colin
026f5dee4d programs: g4music: sandbox with bwrap 2024-01-23 15:06:45 +00:00
Colin
b59be8338a firefox: fix up sandboxing of ssh/sops 2024-01-23 14:57:57 +00:00
Colin
ab4bbc2224 programs: remove explicit firejail installation; let sane.programs decide when to install it sys-wide 2024-01-23 14:57:33 +00:00
Colin
156fcd1bf2 aerc: enable bwrap sandbox 2024-01-23 14:57:33 +00:00
Colin
bb63a594ab conky: fixup needed paths for bwrap 2024-01-23 14:57:33 +00:00
Colin
f148334b58 programs: port extraFirejailConfig to extraConfig 2024-01-23 14:57:33 +00:00
Colin
da537ea8ea fractal: switch from firejail -> bwrap 2024-01-23 14:13:09 +00:00
Colin
18d224dc34 dino: switch from firejail to bwrap 2024-01-23 14:12:52 +00:00
Colin
38fd171713 spotify: sandbox with bwrap instead of firejail 2024-01-23 12:12:56 +00:00
Colin
84c78d9256 conky: sandbox with bwrap instead of firejail 2024-01-23 12:11:22 +00:00
Colin
973203d85e programs: mpv: sandbox with bwrap instead of firejail 2024-01-23 11:37:37 +00:00
Colin
f9174dd2aa programs: firefox: sandbox with bwrap instead of firejail 2024-01-23 11:37:19 +00:00
Colin
0bed4d0ada mpv: disable firejail sandboxing (it fails on moby) 2024-01-23 01:01:21 +00:00
Colin
f3e8af3fdb doc: libreoffice: mention "still" v.s. "fresh" variants 2024-01-23 01:00:34 +00:00
Colin
af542ec05f docs: gnome-keyring: point out that system gnome-keyring doesn't inherit my sandboxing 2024-01-23 01:00:06 +00:00