|
3aa2ece59b
|
modules/programs: convert lib.optionalAttrs to mkIf
this allows stuff to be lazier
|
2024-06-07 07:26:07 +00:00 |
|
|
45e121eb1c
|
make-sandboxed: preserve meta.mainProgram
|
2024-06-01 20:01:24 +00:00 |
|
|
36f4fa3018
|
checkSandboxed: fix so that cross-built scripts can be checked again
how did this work earlier? does lappy have binfmt enabled??
|
2024-06-01 13:24:41 +00:00 |
|
|
f875db916d
|
sandboxing: fix checkSandboxed to handle packages with multiple outputs
|
2024-06-01 12:12:46 +00:00 |
|
|
f296d8df93
|
make-sandboxed: fix multi-output packages and sandbox *all* their outputs
this mostly applies to the wrapperType = 'inplace' users
|
2024-05-31 23:26:16 +00:00 |
|
|
4aeb3360d3
|
cleanup: programs: dont assume sway is always the wayland/x11 provider
|
2024-05-30 06:00:32 +00:00 |
|
|
0c456d11d8
|
programs: ensure things which depend on sound or wayland are ordered after it
|
2024-05-30 04:55:05 +00:00 |
|
|
3b73773169
|
programs: ensure things which depend on dbus are ordered after it
|
2024-05-30 03:48:45 +00:00 |
|
|
9ba8ff738b
|
refactor: sane.programs.$foo.service: specify type concretely
|
2024-05-30 03:39:32 +00:00 |
|
|
c5c174f988
|
sway: patch to use a narrower sandbox
|
2024-05-29 18:24:59 +00:00 |
|
|
d865be952a
|
refactor: sandboxing: replace manual --sanebox-keep-namespace pid config with isolatePids = false
|
2024-05-29 12:56:46 +00:00 |
|
|
00d06db66a
|
make-sandboxed: handle more systemd service files
|
2024-05-29 12:54:44 +00:00 |
|
|
be38d56717
|
make-sandboxed: handle more systemd/dbus service file locations
|
2024-05-28 13:36:01 +00:00 |
|
|
af72f312d3
|
sandbox: remove /run/wrappers: SUID wrappers dont really accomplish much inside a namespace
|
2024-05-26 01:18:30 +00:00 |
|
|
73f5c9608e
|
sanebox: tighter dependency handling, to not rely on @BACKEND_FALLBACK@
|
2024-05-25 10:26:36 +00:00 |
|
|
b035d312aa
|
firejail: purge
|
2024-05-25 10:21:31 +00:00 |
|
|
7b1bc210fd
|
sanebox: integrate with pasta (passt) for better net sandboxing
|
2024-05-25 09:39:18 +00:00 |
|
|
118ed5f950
|
sanebox: populate --sanebox-net-dev with the actual net device -- not the bridge
|
2024-05-25 08:17:38 +00:00 |
|
|
ffe599e5cb
|
sanebox: rename --sanebox-net to --sanebox-net-dev
|
2024-05-25 08:13:35 +00:00 |
|
|
cbbddee152
|
modules/programs: add ~/.config/FOO and ~/.local/share/FOO to the sandbox where applicable
|
2024-05-18 06:32:07 +00:00 |
|
|
b5502ea401
|
sanebox: remove --sanebox-cache-symlink flag
|
2024-05-15 23:59:38 +00:00 |
|
|
1211023c55
|
modules/programs: remove dead code from per-user profiles
|
2024-05-15 23:58:10 +00:00 |
|
|
b4229ecb1e
|
sanebox: load the link cache from a static /etc path instead of via CLI args
|
2024-05-15 23:55:15 +00:00 |
|
|
348837ff4a
|
programs: sandboxing: replace profiles with raw CLI args
|
2024-05-15 09:13:20 +00:00 |
|
|
17eaa7446a
|
sanebox: remove all profile-related features except for direct, path-based profile loading
|
2024-05-15 09:13:20 +00:00 |
|
|
530664294a
|
programs: sandbox: always specify --sanebox-profile-dir instead of loading from XDG_DATA_DIRS
|
2024-05-15 08:54:16 +00:00 |
|
|
b649071d98
|
programs: sandboxing: make the profiles be generic across users
this is a step toward making the profile not even be dynamically loaded, since its content is no longer dynamic :)
|
2024-05-15 08:48:09 +00:00 |
|
|
ea2653b7ce
|
programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first
|
2024-05-15 08:20:09 +00:00 |
|
|
4c1b1282d6
|
modules/programs: sandbox: be compatible with systemd resolved again
|
2024-05-15 02:57:40 +00:00 |
|
|
adfaa7f9c1
|
sane-sandboxed -> sanebox
|
2024-05-15 01:41:40 +00:00 |
|
|
bee3eea040
|
modules/programs: sandbox: remove no-longer-needed /run/systemd/resolve from sandbox
|
2024-05-14 04:18:29 +00:00 |
|
|
f3106ee316
|
programs: maxBuildCost: fix to actually build everything by default
|
2024-05-13 22:57:40 +00:00 |
|
|
43d32641f3
|
programs: buildCost: introduce a new level between min and light
|
2024-05-13 22:45:33 +00:00 |
|
|
46d95805e9
|
programs: simplify sandbox symlink closure code
|
2024-05-13 07:49:00 +00:00 |
|
|
bd3e06982b
|
sane-sandboxed: tweak symlink caching to allow /run/current-system to be bind-mounted instead of symlinked
|
2024-05-13 02:11:47 +00:00 |
|
|
660ba94c7c
|
sane-sandboxed: introduce a symlink cache to reduce readlink calls even more
it's all a bit silly. i still do a bunch of -L tests: i just avoid the costly readlink fork :|
|
2024-05-13 01:31:30 +00:00 |
|
|
2eea562d1f
|
sandbox: remove unused "binMap" option
|
2024-04-15 19:56:33 +00:00 |
|
|
0385c09f23
|
sane-sandboxed: split out into an actual package
|
2024-04-15 18:57:22 +00:00 |
|
|
4b22fd95bf
|
introduce 'moby-min' host variant for the quickest deployment (no webkitgtk)
|
2024-04-13 20:29:24 +00:00 |
|
|
febedb9323
|
nits: update --replace uses to --replace-{fail,quiet} as appropriate
|
2024-03-24 12:49:18 +00:00 |
|
|
03fbb780b2
|
sane.programs: sandbox: refactor extraRuntimePaths computation
|
2024-03-24 12:03:38 +00:00 |
|
|
9c0b175260
|
swaync: allow toggling of s6 services
|
2024-03-24 11:54:12 +00:00 |
|
|
6102a0301d
|
sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox
|
2024-03-23 16:37:22 +00:00 |
|
|
5205251f6f
|
programs: xwayland: sandbox it without exposing net access
|
2024-03-23 15:33:23 +00:00 |
|
|
8c48adefa5
|
pipewire: move sockets into a subdirectory for easier sandboxing
|
2024-03-23 13:34:13 +00:00 |
|
|
70b5c57b50
|
modules/programs: enforce (or rather document) a stricter schema
this should make it easier to switch to a different service manager
|
2024-03-21 17:16:01 +00:00 |
|
|
b25df1d997
|
sane-sandboxed: fix capabilities example
|
2024-03-14 01:36:46 +00:00 |
|
|
4510352c07
|
sane-sandboxed: implement --sane-sandbox-no-portal flag
|
2024-03-13 04:49:48 +00:00 |
|
|
430592632c
|
sane-sandboxed: add a help message
|
2024-03-13 04:49:48 +00:00 |
|
|
56aca78d84
|
make-sandboxed: also sandbox the .lib output of a package
|
2024-03-13 04:49:48 +00:00 |
|