b29b8bdec7
wireshark: specify capabilities via sandbox.capabilities config
2024-01-27 17:12:40 +00:00
a7d081bfcb
modules/programs: add a sane.strictSandboxing option
2024-01-27 17:11:07 +00:00
5ca208d07f
modules/programs: sandbox: add enable flag and capabilities structured config
2024-01-27 17:08:27 +00:00
6c605944c5
pkgs: firefox-extensions: update to latest
2024-01-27 15:50:47 +00:00
02b6e17449
nicotine-plus: disable
...
now i have no firejail programs; no more setuid wrapper in /run/wrappers :)
2024-01-27 15:37:43 +00:00
770db96ec6
go2tv: sandbox with bwrap
2024-01-27 15:31:08 +00:00
ff356fdd49
playerctl: sandbox with bwrap
2024-01-27 15:18:56 +00:00
eec89e2cc1
librewolf: sandbox with bwrap
2024-01-27 15:16:53 +00:00
d69d8f64f3
tor-browser: sandbox with bwrap; remove useHardenedMalloc patch
2024-01-27 15:04:22 +00:00
4ee2562202
programs: tidy: prefer "sandbox.extraHomePaths" over "fs" for external deps
2024-01-27 14:54:17 +00:00
08b1ece56e
programs: gnome-weather: sandbox with bwrap
2024-01-27 14:53:38 +00:00
26b978dcf2
modules/programs: sandbox: fix "inline" -> "inplace" typo
2024-01-27 14:42:25 +00:00
b22c2e094c
koreader: sandbox with bwrap
2024-01-27 14:39:22 +00:00
b40775f97c
koreader-from-src: document FTP configuration
2024-01-27 14:39:02 +00:00
a27a72646c
koreader-from-src: fix non-cross build
2024-01-27 14:38:52 +00:00
100ddad40e
wike: link to issue about state directory
2024-01-27 14:27:02 +00:00
d8b6d419b6
modules/programs: sandboxing: add wrapperType = "wrappedDerivation"
to wrap without rebuilding the whole package
2024-01-27 14:26:41 +00:00
1bde38bf72
cozy: sandbox with bwrap
2024-01-27 13:11:22 +00:00
a06c81643c
sane-sandboxed: don't error if ~ files aren't available to be bound
2024-01-27 12:48:58 +00:00
15fd7bf4a5
sane-sandboxed: implement a "capshonly" backend
2024-01-27 12:39:36 +00:00
0a25ef544f
wike: sandbox with bwrap
2024-01-27 12:29:58 +00:00
a6b824d3c4
modules/programs/sandbox: add an "embedProfile" option to source sandbox settings from the package instead of the system
2024-01-27 12:23:25 +00:00
79ee47bada
firefox: get away with linking slightly less into the sandbox
2024-01-27 11:41:18 +00:00
be06e61bfb
programs: geary: fix sandboxing
...
this is an UGLY one. geary itself uses bwrap, and that fails if it's sandboxed AT ALL in landlock (i.e. even with just / landlocked as RW).
maybe this has to do with what landlock-sandboxer considers 'read/write' to be, and there's actually more file ops i need to enable on /
2024-01-27 11:28:08 +00:00
3b4884fcf1
sane-sandbox: fix secret binding
2024-01-27 11:26:10 +00:00
4319dc58eb
programs: landlock: restrict the capabilities of sandboxed processes
2024-01-27 09:49:51 +00:00
3122434908
programs: add an option to configure extra home paths to make accessible in the sandbox
2024-01-27 09:11:32 +00:00
dae7785ee2
wireshark: remove dead code
2024-01-27 09:04:08 +00:00
d54f8b1e93
programs: fix so environment variables make it onto user sessions
2024-01-27 09:02:55 +00:00
27f3b2bd76
firefox: allow ~/tmp and ~/Pictures access
2024-01-27 06:00:46 +00:00
b417f60769
sane-sandboxed: try binding /proc/self in landlock. still doesnt work well
2024-01-27 05:59:40 +00:00
df2d5b6d01
sane-sandboxed: fixup /dev/std* for wireshark
2024-01-27 05:12:43 +00:00
3e6278fa21
wireshark: sandbox with landlock instead of firejail
...
and remove the SUID wrapper, yay!
2024-01-27 04:44:21 +00:00
a66b257644
sane-sandboxed: better support for landlock and SANE_SANDBOX_PREPEND/APPEND
2024-01-27 04:43:42 +00:00
ef66d2ec72
sane-sandboxed: add support for landlock backend
2024-01-27 03:39:26 +00:00
e21dbd507d
landlock-sandboxer: init
2024-01-26 16:52:33 +00:00
64878bee67
sane-sandboxed: add SANE_SANDBOX_PREPEND, SANE_SANDBOX_APPEND env vars
2024-01-26 09:14:18 +00:00
557a080ffc
TODO.md: try landlocked for sandboxing, instead of bubblewrap
2024-01-26 09:13:46 +00:00
8ecb17ed3e
programs: enable libcap_ng/netcap
2024-01-26 09:13:20 +00:00
c4874c85b1
bubblewrap: debugging
2024-01-26 09:13:00 +00:00
563a75e9b2
users: launch entire systemd --user namespace with cap_net_admin, cap_net_raw
...
this should make sandboxing wireshark *much* easier, and same with things which require net namespaces, in the future
2024-01-25 15:05:35 +00:00
7f002b8718
programs: sane-sandboxed: implement --sane-sandbox-cap for capabilities setting
2024-01-24 06:34:11 +00:00
79e2bd2913
epiphany: sandbox with bwrap
...
this is the first app which *requires* DRI/DRM to function correctly. maybe this effects anything webkitgtk (like wike)?
2024-01-24 06:25:20 +00:00
95161b55cd
spot: sandbox with bwrap
2024-01-24 05:47:04 +00:00
d91759068c
element-desktop: sandbox with bwrap
2024-01-24 05:37:46 +00:00
c23c496066
programs: tuba: sandbox with bwrap
...
it complains "Fontconfig error: No writable cache directories"
seeeeeveral times. not sure if that's new or not. no obvious
consequences.
2024-01-24 05:34:10 +00:00
824630f7d1
programs: sandboxing: document /dev/dri a bit more
2024-01-24 05:28:27 +00:00
f8e8d23857
vlc: sandbox with bwrap instead of firejail
2024-01-24 05:19:20 +00:00
8484bb7978
docs: mime: document how to show the nix mime associations
2024-01-24 05:00:35 +00:00
57105c6861
sane-sandboxed: autodetect: handle file:/// URIs
2024-01-24 05:00:08 +00:00