a3ae650273
dialect: fix so it works inside a sandbox
2024-03-02 18:25:13 +00:00
3b603519ff
fuzzel: sandbox (well, i probably dont even have it on my system anymore :P)
2024-03-02 07:43:42 +00:00
f69ca166f4
sway: sandbox
2024-03-02 07:41:51 +00:00
3dd1d18dcd
less: sandbox
2024-03-02 07:11:45 +00:00
28cb705bd4
grim: sandbox
2024-03-02 07:11:45 +00:00
7fa1dbc5d5
slurp: sandbox
2024-03-02 07:11:45 +00:00
8b7575c205
swappy: sandbox
2024-03-02 07:11:45 +00:00
52e9902fa1
sane-screenshot: give it permissions to my screenshots dir (derp)
2024-03-02 06:14:05 +00:00
ab765a81af
sway: integrate sane-screenshot as the PrintScreen shortcut
2024-03-02 06:14:05 +00:00
a7bd831ad8
sane-screenshot: port to sane.programs
2024-03-02 06:14:05 +00:00
f4ec09f010
rofi: remember the last selected directory
2024-03-02 00:35:29 +00:00
a40cefc8a5
pipewire: speculatively add /dev/video*
2024-03-02 00:14:47 +00:00
f55bb3518f
wireplumber: add missing /dev/video2 which is on moby
2024-03-02 00:14:21 +00:00
3d16aa62ea
sway: let the pinephone default to it's normal scaling
...
it's actually pretty nice at 2.0 scaling with my current apps. i'll need to tweak swaync, conky, wvkbd, etc. later.
2024-03-01 23:53:31 +00:00
2548cfeadc
xdg-desktop-portal-wlr: fix crashing due to over-restrictive sandbox
2024-03-01 21:17:31 +00:00
90acbf716d
Videos/gPodder: allow access from mpv and rofi
2024-03-01 21:02:04 +00:00
bba149c670
zsh: new c
helper to change into a dir and list it
2024-03-01 20:09:20 +00:00
c056984003
zsh: alias exiy -> exit
2024-03-01 19:56:09 +00:00
2324d75165
switch psmisc -> killall
...
otherwise a really shitty `pstree` makes its way onto my PATH
2024-03-01 18:50:20 +00:00
9296b7731b
rofi: add a .desktop file to rofi-snippets
2024-03-01 18:07:52 +00:00
95c95d6f53
splatmoji: actually install the .desktop files
2024-03-01 18:03:45 +00:00
fca23e661a
xdg-desktop-portal: disable debug logging
2024-03-01 17:50:49 +00:00
9a7ebbd9d3
rofi: configure window height/location
2024-03-01 17:18:40 +00:00
56b00d998e
rofi: theme
...
i still need to figure out how to make it wider for moby
2024-03-01 16:40:09 +00:00
01ef182073
waybar: theme the indicator style
...
i don't know if it's perfect, but it is better
2024-03-01 15:32:52 +00:00
b6daeddfa2
waybar: show different modules for moby v.s. others
2024-03-01 15:25:42 +00:00
c6e956f3d2
waybar: fix button.urgent
color to match sway's client.urgent
2024-03-01 15:03:14 +00:00
82368eb45a
sway: desko: fix monitor layout
...
i guess my monitor's name changed... 👀
2024-03-01 07:19:00 +00:00
65fb9e1d57
rofi: allow access to more servo media paths
2024-03-01 07:14:41 +00:00
b02ae7ef74
moby: polyfill an OK sway layout
2024-03-01 05:20:28 +00:00
37ddb2ae17
waybar: fix font size to be more usable on moby
2024-03-01 04:46:06 +00:00
81e02e2885
sway: moby: fix layout/scale preferences
2024-03-01 04:38:26 +00:00
4a3f59468c
sway: launch gui apps via sane-open-desktop instead of inline
...
this will allow for sandboxing, in the future
2024-03-01 04:19:19 +00:00
daab5939e7
rofi: split sane-open-desktop
out as a helper
2024-03-01 04:19:19 +00:00
e7430c41f9
refactor: sway-config: for readability
2024-03-01 03:29:52 +00:00
5849e75577
sway-config: remove dead window specializations
2024-03-01 03:21:47 +00:00
296123651c
sway: fold sway-config.nix
into default.nix
2024-03-01 03:18:37 +00:00
7f0d5e7810
sane-input-handler: explain why i setsid
2024-03-01 03:11:06 +00:00
7af928a6d2
sway: direct inputs to bonsai WITHOUT swallowing them
2024-03-01 03:10:44 +00:00
b73569d675
wvkbd: fix service typo
2024-02-29 22:04:42 +00:00
50ee15ef2b
send sway-related cross patches upstream
2024-02-29 21:35:02 +00:00
9764d5f095
sway/waybar: decrease cross-specific patches
...
cava cross compiles now (yay); sndio is actually required by waybar if cava is enabled, so remove the disable
2024-02-29 18:56:54 +00:00
43386f3ba5
nixpkgs: update; couple cross-compiling patches have merged upstream
...
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/0852bff4370133e3a62b0cc7d14d193b928a7c59' (2024-02-29)
→ 'github:nixos/nixpkgs/e894afb6c101fea0771b47d7827bef022e89ee1e' (2024-02-29)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/9f21aa90cb8c078969543956d88c19696b646743' (2024-02-29)
→ 'github:nixos/nixpkgs/d29fabd630000579f744d04639d625828ba412bf' (2024-02-29)
```
2024-02-29 18:22:35 +00:00
083f743c1f
remove nixpkgs less
defaults and manage PAGER myself
...
this lets me avoid the lesspipe cross failures, notably
2024-02-29 15:18:51 +00:00
6253d1799a
port sxmo_hook_inputhandler.sh -> sane-input-handler
...
this one can run outside the SXMO environment.
major thing missing at the moment is that rofi doesn't get volume
control inputs because bonsai out-competes it for exclusive control.
2024-02-29 01:26:38 +00:00
d8a8038cae
xdg-terminal-exec: define a .desktop file
2024-02-29 00:17:26 +00:00
7fd56b63cb
rofi: better patch for the DT_UNKNOWN edgecase
2024-02-28 21:41:59 +00:00
7a65bd36c7
rofi: patch the filebrowser to reliably list entries on remote filesystems
...
see: <https://github.com/davatorium/rofi/issues/1954 >
2024-02-28 21:18:19 +00:00
40e30cf2f8
programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that
2024-02-28 17:39:00 +00:00
812c0c8029
packages: reduce the number of packages which are using inplace sandbox wrapping
2024-02-28 17:35:40 +00:00
70229e0839
rofi: persist the filebrowsercache
2024-02-28 15:41:52 +00:00
cd303a76bc
rofi: disable "run" from combi
...
they wouldn't work, since i only 'xdg-open' the entries
2024-02-28 15:32:12 +00:00
e43aa3bb8b
splatmoji: fix sandboxing so rofi can read its config/cache
2024-02-28 15:19:53 +00:00
6c2d80715c
rofi-snippets: fix sandboxing so rofi can read its config/cache
2024-02-28 15:15:02 +00:00
d912190db5
sway: split snippets into own program (rofi-snippets)
2024-02-28 14:44:05 +00:00
c380f61bea
fix "rescue" host to eval again
2024-02-28 14:19:45 +00:00
b302113fc0
modules/programs: require manual definition; don't auto-populate attrset
...
this greatly decreases nix eval time
2024-02-28 13:35:09 +00:00
3816393e06
rofi: try integrating rofi-emoji (failed)
2024-02-28 01:28:05 +00:00
4c6c470c86
sway: snippets: port from fuzzel -> rofi
2024-02-28 01:26:22 +00:00
409a4db232
splatmoji: use rofi instead of fuzzel
...
will be best if i can port everything to one dmenu helper
2024-02-28 01:18:51 +00:00
8f424dcd5a
programs: sandboxing: link /etc into sandboxed programs
...
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
2024-02-27 22:25:17 +00:00
67536e3c1f
programs: assorted: correct sandbox paths now that Pictures/Videos/Books are categorized
...
i don't like this Pictures/ approach though. i may reconsolidate some of those
2024-02-27 21:37:20 +00:00
715de37954
rofi: fix files to be opened with xdg-open
2024-02-27 21:20:12 +00:00
e37a7d85b3
~/Videos: don't persist ALL videos: just ~/Videos/local
...
otherwise, ~/Videos/servo is a symlink which the programs module doesn't know how to traverse (and hence, sandbox).
2024-02-27 20:45:56 +00:00
36f6c72183
rofi: sandbox, and launch apps via xdg-open or gdbus
2024-02-27 18:35:15 +00:00
20a1aeb5b3
programs: add gdbus as a standalone program, separate from the rest of glib
2024-02-27 18:28:24 +00:00
4379addf9e
plumb my configured sway through to everywhere that wants pkgs.sway
.
...
kinda ugly. this lets me avoid having multiple versions of sway on my
system.
2024-02-27 16:11:10 +00:00
5c7eceeb55
grimshot: move to own file
2024-02-27 14:54:53 +00:00
50aa16df81
cross compilation: remove unused patches; note upstreaming status
2024-02-27 14:53:26 +00:00
40e22533fb
swaynotificationcenter: update config/patches to be compatible with 0.10.0
2024-02-27 11:19:29 +00:00
92033c8414
rofi: place druncache into rofi cache dir
2024-02-27 01:21:27 +00:00
16f0424631
rofi: patch so that i can use -run-command "my-launcher {app_id}.desktop"
...
this plus xdg-desktop-portal's DynamicLauncher should provide a way to sandbox everything
2024-02-27 01:03:21 +00:00
6fd1ce1f61
rofi: port cache from plaintext to cryptClearOnBoot
...
because i don't think it has any invalidation logic
2024-02-26 23:04:50 +00:00
a7c325c8e1
xdg-desktop-portal: link applications
so that DynamicLauncher portal can work
2024-02-26 22:31:48 +00:00
245e6c93cd
docs: xdg-desktop-portal: document notable dbus endpoints
2024-02-26 22:29:03 +00:00
ec073592ed
sway: use rofi app launcher instead of fuzzel
2024-02-26 21:22:03 +00:00
617525a317
programs: add rofi (dmenu-style launcher/file browser)
2024-02-26 21:21:30 +00:00
f2e1bb6b86
programs: python3-repl: sandbox
2024-02-25 18:52:55 +00:00
c402a265cd
programs: stepmania: sandbox
2024-02-25 18:26:32 +00:00
d5643a6a5d
assorted static-nix-shell packages: use srcRoot
2024-02-25 17:37:38 +00:00
c9c1181242
programs: wireplumber: sandbox
2024-02-25 17:11:48 +00:00
f9888fe8d6
programs: sane-private-init: sandbox
2024-02-25 16:46:10 +00:00
036145e6ba
programs: sane-private-change-passwd: sandbox
...
note that this is entirely untested
2024-02-25 16:35:13 +00:00
7c486492c8
programs: pipewire: port sandbox to bwrap and restrict further
2024-02-25 15:19:57 +00:00
890b41f563
programs: pipewire: sandbox
...
still need to sandbox wireplumber
2024-02-25 14:34:11 +00:00
ca36fe1b96
programs: gnome.seahorse: sandbox
2024-02-25 12:03:42 +00:00
d2df668c9e
modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts>
2024-02-25 12:00:00 +00:00
b7921ac41b
refactor: programs: sort
2024-02-25 11:53:49 +00:00
c304367e21
programs: gnome-maps: sandbox
2024-02-25 11:51:50 +00:00
2ad33a49df
refactor: pipewire: remove dead code
2024-02-25 10:38:42 +00:00
0b4efd2ab2
pipewire: migrate services to sane.programs to completely disable socket activation
...
see: https://github.com/NixOS/nixpkgs/issues/291318
2024-02-25 10:36:21 +00:00
0745e9fc06
refactor: programs: split gnome-maps into own file
2024-02-25 09:06:32 +00:00
e0267b5669
programs: pipewire: disable socket activation
2024-02-25 08:55:59 +00:00
b3c7aac8c5
programs: wike: sandbox: enable DRI to fix graphical glitches
2024-02-25 08:38:10 +00:00
c788596c45
programs: sane-private-do: grant net access
...
crucial for e.g. sane-private-do git push
2024-02-25 08:25:13 +00:00
6865331b48
programs: sandbox sane-scripts.private-do
2024-02-25 05:41:27 +00:00
f714bd8281
programs: jq: sandbox
2024-02-25 01:59:01 +00:00
73b2594d9b
programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent"
2024-02-25 01:59:01 +00:00
eecb98e2ee
programs: bonsai: fix eval error
2024-02-23 16:00:32 +00:00
aa0991bd6c
persistence: cleanup so it all works well with symlink-based stores
2024-02-23 13:09:44 +00:00
62b39bf01e
firefox: integrate the "persist" config into "sane.programs"
2024-02-23 11:23:41 +00:00
0d8307e877
programs: gnome-keyring: sandbox
...
and now secrets are readable again. they were broken for the last ~10 commits :)
2024-02-23 09:49:35 +00:00
9b1a2ae9bb
programs: mpv: remove useless "extraRuntimePaths = []" override
2024-02-23 09:32:19 +00:00
b8b805765b
programs: gnome-keyring-daemon: remove the SUID wrapper
...
it's not actually mandated. just, when enabled, gkd will `mlock` its
secrets into memory. but i don't use swap anyway. plus, i'll enable that
momentarily anyway (though systemd will probably not understand the
capablity)
2024-02-23 09:28:41 +00:00
84eae20765
gnome-keyring: don't integrate with PAM
...
PAM integration is only required if the keyring is encrypted on-disk
2024-02-23 09:15:30 +00:00
4a10c5f729
gnome-keyring: start as systemd service explicitly, not as implicit dbus service
2024-02-23 09:09:54 +00:00
c2696c1cd9
gnome-keyring: use sane.fs abstractions to write out the keyrings
2024-02-23 08:57:41 +00:00
ea6f45555c
gnome-keyring: simplify the scripts (untested)
2024-02-23 08:14:09 +00:00
687db545b4
gnome-keyring: move persistence and init script to sane.programs
2024-02-23 07:22:07 +00:00
24d1d13d0a
programs: simplify sandboxing of file browsers/etc now that private data lives on a different mount
2024-02-23 07:06:29 +00:00
057b9e3fed
replace links/references to ~/private/FOO with just ~/FOO
2024-02-23 07:06:29 +00:00
4a316d4b91
bonsai: lift out of sxmo
2024-02-23 07:06:29 +00:00
af03b3f6e8
xwayland: sandbox
2024-02-23 01:05:24 +00:00
5819f07181
programs: xwayland: sandbox
2024-02-22 22:12:03 +00:00
122f3fa5cc
sway: remove xwayland-specific placement of Signal
...
it breaks non-xwayland sway config parsing, and Signal is native Wayland now anyway even with Xwayland running'
2024-02-22 22:01:48 +00:00
473999c001
sway: re-enable networkmanager
2024-02-21 23:46:25 +00:00
d1de9efde1
sway: port xwayland use to sane.programs API
2024-02-21 23:32:10 +00:00
50c3f04714
pipewire: remove dead alsa comments
2024-02-21 23:26:40 +00:00
49bad8f186
sway: split pipewire persisted file into pipewire.nix
2024-02-21 23:26:25 +00:00
fd9f500e97
sway: split pipewire config into separate sane.programs.pipewire
2024-02-21 23:23:52 +00:00
386651044e
sway: port to sane.programs API
2024-02-21 23:18:57 +00:00
d77a12ce7b
unl0kr: remove the "afterLogin" option and choose automatically which desktop to launch
2024-02-21 20:47:48 +00:00
153d2a1047
GSK_RENDERER: don't set globally, but just for the apps which _actually_ require it
...
this way i can avoid conflicts around apps which don't expect this to be set (e.g. delfin)
2024-02-21 16:56:56 +00:00
b8f090be93
programs: delfin: add required mpris permissions
2024-02-21 13:27:19 +00:00
5a0760a571
programs: sandbox oathtools
2024-02-21 00:03:48 +00:00
757ab79724
programs: dconf: sandbox
2024-02-20 23:43:25 +00:00
81148b7b42
programs: explicitly depend on dconf instead of manually persisting dconf's dirs
2024-02-20 23:39:27 +00:00
429d0c53e7
programs: ripgrep: sandbox with bwrap instead of landlock
...
this provides network isolation
2024-02-20 23:32:54 +00:00
6cf1bc5a28
programs: grep: sandbox
2024-02-20 23:32:28 +00:00
768b340c93
findutils: sandbox
...
use bwrap instead of landlock for the dumb preference that i can disable
net
2024-02-20 23:31:58 +00:00
d9901aa161
programs: sane-secrets-*: sandbox
2024-02-20 23:31:39 +00:00
be2098c18a
programs: sane-vpn: sandbox
2024-02-20 23:05:24 +00:00
bb569b1668
sane-vpn: port away from systemd so that i can use it as an ordinary user (no sudo)
2024-02-20 22:21:02 +00:00
71025329e7
programs: sane-dev-cargo-loop: sandbox
2024-02-20 19:26:38 +00:00
ca4d1e3b9d
programs: sane-tag-music: sandbox
2024-02-20 19:26:18 +00:00
284b698015
sane-reclaim-boot-space: fix, and sandbox
...
well i didn't get to test this thoroughly: might still have problems
2024-02-20 19:16:36 +00:00
8beac8df2f
programs: sandbox sane-shutdown, sane-reboot
2024-02-20 13:43:05 +00:00
58db553c84
programs: unl0kr: sandbox
2024-02-20 13:29:56 +00:00
2ea3776d84
programs: sane-sync-from-servo: remove
...
this was obsoleted by the top-level flake `sync` scripts
2024-02-20 13:16:21 +00:00
a624571b22
move glib program recommendation into programs/assorted.nix
2024-02-20 12:11:26 +00:00
53cbe5c8da
dconf: split into own sane.programs
definition
2024-02-20 12:09:52 +00:00
a05184f956
programs: neovim: fix nvim-treesitter typo
2024-02-20 10:23:52 +00:00
36ad2d5421
programs: unl0kr: auto-derive the user option
2024-02-20 07:21:22 +00:00
b0f62830a5
unl0kr: port to sane.programs
2024-02-20 07:14:30 +00:00
c7f4661c1c
programs: htop: persist config
2024-02-20 05:38:45 +00:00
e8306831c5
programs: qemu: mark as slowToBuild
2024-02-20 05:34:47 +00:00
41b1a013d7
programs: sane-sudo-redirect: disable sandbox
2024-02-19 17:09:27 +00:00
f785ccd351
programs: sane-reclaim-disk-space: sandbox
2024-02-19 17:06:22 +00:00
48744dcaaa
programs: sane-ip-reconnect: remove (unused)
2024-02-19 17:05:27 +00:00
9373864b60
programs: sane-git-init: remove (unused)
2024-02-19 16:53:59 +00:00
c16c9dfe0b
programs: sandbox a bunch of sane scripts
2024-02-19 16:51:53 +00:00
2d17826731
programs: eza: sandbox with bwrap instead of landlock
2024-02-19 15:32:40 +00:00
de297f22be
programs: split sane-scripts out of assorted.nix
2024-02-19 14:19:10 +00:00
4b47b76461
programs: sfeed: sandbox
2024-02-19 14:14:59 +00:00
3effd59c9b
xdg-desktop-portal-{gtk,wlr}: start via service manager, with ordered deps, instead of letting dbus activate it for us
...
that gets more reliable environment importing, etc
2024-02-19 13:44:23 +00:00
44647e0d36
programs: forkstat: sandbox
2024-02-19 13:15:15 +00:00
da1053d635
programs: configure auto-launching programs to only start *after* graphical-session.target
...
this ensures they really have their environment
2024-02-19 12:58:08 +00:00
8886177c23
xdg-desktop-portal: fix it to find all the portal configs again
...
maybe i broke this when i simplified XDG_CONFIG_DIRS? not sure
2024-02-19 12:58:08 +00:00
35b4cc779f
megapixels: switch to bwrap, to support Loupe image viewer
2024-02-18 18:46:37 +00:00
c7d111a318
megapixels: 1.7.0 -> 1.8.0
2024-02-18 18:27:47 +00:00
7e5eb6324d
megapixels: sandbox
...
it's iffy... 1.8.0 is released, which can be sandboxed w/o sys/dev/char or ~/.local/share/applications, but seems to be even flakier
2024-02-18 17:44:49 +00:00
55c305812d
WIP: megapixels: sandbox
2024-02-18 13:53:18 +00:00
67395bdcd3
programs: ship forkstat
2024-02-18 11:58:30 +00:00
a591be98d4
programs: portfolio-filemanager: sandbox
2024-02-18 07:07:29 +00:00
82e028e37d
programs: nautilus: assign a mime priority
2024-02-18 07:07:29 +00:00
7f7543ee78
programs: planify: sandbox
2024-02-18 07:07:29 +00:00
8d0e3e0db3
programs: notejot: sandbox
2024-02-18 07:07:29 +00:00
bf352d184c
programs: tangram: sandbox
2024-02-18 07:07:29 +00:00
81a6600f54
programs: xarchiver: sandbox
2024-02-18 07:07:29 +00:00
536f0aedc3
open-in-mpv: remove my patch which has been upstreamed, previously required to use xdg-open
2024-02-18 04:52:27 +00:00
98aafead94
programs: wob: add missing "coreutils" dep
...
it *should* be acquired via user's PATH, but wob-pulse can start before sway imports PATH to systemd
2024-02-17 16:38:22 +00:00
f8663cd827
programs: monero-gui: sandbox
2024-02-17 16:06:58 +00:00
af1ee1734d
programs: wireguard-tools: sandbox
2024-02-17 15:54:16 +00:00
5375cab716
programs: ntfy-sh: sandbox
2024-02-17 15:47:47 +00:00
162b3f5674
imagemagick: don't add 'ghostscript' package to path
2024-02-17 15:45:50 +00:00
a729f91d21
programs: jq: add working sandbox criteria, but don't enable yet
...
i need to handle the extremely common `cat foo | jq .` without adding
`.` to the sandbox
2024-02-17 15:36:41 +00:00
a273b559e2
programs: gnome-disk-utility: sandbox
2024-02-17 15:36:28 +00:00
785b375671
programs: smartmontools (smartctl): sandbox
2024-02-17 15:36:13 +00:00
24cba0c856
programs: xq: remove
2024-02-17 15:30:23 +00:00
df1db5d01c
programs: sox: sandbox
2024-02-17 15:27:22 +00:00
6749b64bca
programs: nautilus: add mounted media to the sandbox
2024-02-17 15:26:49 +00:00
d3e4bdfcd5
programs: gdisk: fix sandboxing
2024-02-17 15:26:16 +00:00
799cd4373f
programs: socat: disable
2024-02-17 15:11:12 +00:00
2efa6d1e27
programs: mepo: sandbox
2024-02-17 15:08:21 +00:00
a1470956a5
programs: gdisk: sandbox
2024-02-17 14:57:33 +00:00
556c20bc04
programs: vulkan-tools: sandbox
2024-02-17 14:53:22 +00:00
cf5f58dda6
programs: nmap: sandbox
2024-02-17 14:51:26 +00:00
6f8c299c69
programs: xdg-desktop-portal: log more
2024-02-17 14:40:56 +00:00
bbf7aac062
programs: gnome-frog: sandbox
2024-02-17 14:40:42 +00:00
7d1fd2f30a
programs: nvme-cli: sandbox
2024-02-17 14:40:29 +00:00
472987f164
programs: gimp: fix sandboxing failure
2024-02-17 13:43:35 +00:00
784c2145f3
programs: iputils: sandbox
2024-02-17 03:33:05 +00:00
0000afb315
programs: make nixosBuiltins
package set more precise
2024-02-17 03:08:14 +00:00
31fa21bd20
programs: host/iproute2/iw/nettools/wirelesstools: sandbox
2024-02-17 03:05:58 +00:00
9510817604
programs: document nixosBuiltins programs
2024-02-17 02:40:28 +00:00
4a84de3ee4
programs: inetutils/iptables: sandbox
2024-02-17 02:32:57 +00:00
ab42a4cc5a
programs: qemu: disable sandbox
2024-02-17 01:43:58 +00:00
f6537b083a
programs: discord: add dbus to sandbox
2024-02-17 01:42:22 +00:00
1b4306e649
programs: switch bridge-utils, btrfs-progs from landlock -> bwrap
...
landlock can't isolate net yet, so bwrap gives better sandboxing
2024-02-16 15:32:41 +00:00
af8a8358bd
programs: hdparm: sandbox
2024-02-16 15:32:41 +00:00
464c6c56c5
programs: btrfs-progs: sandbox
2024-02-16 15:32:41 +00:00
8e314e8b73
programs: bridge-utils: sandbox
2024-02-16 15:32:41 +00:00
198029f95f
programs: netcat: sandbox
2024-02-16 15:32:41 +00:00
1d646459ab
programs: pulsemixer: sandbox
2024-02-16 15:32:41 +00:00
8f3bab3636
programs: sort
2024-02-16 15:32:41 +00:00
a909a93c29
programs: strings: fix sandboxing
2024-02-16 15:32:41 +00:00
6aaa724abf
programs: strings: sandbox
2024-02-16 14:57:25 +00:00
a1c721d5b4
programs: binutils-unwrapped -> strings: distribute just the binary i care about
2024-02-16 14:57:25 +00:00
cd3b4dde7b
programs: nix-index: sandbox
2024-02-16 11:39:05 +00:00
a9d384688a
programs: alsaUtils: sandbox
2024-02-16 11:28:43 +00:00
fffd6f4204
programs: pciutils: sandbox
2024-02-16 11:12:47 +00:00
324485d105
programs: networkmanagerapplet: sandbox
2024-02-16 11:07:24 +00:00
7cb8b144b2
programs: sandbox fatresize
2024-02-16 10:45:56 +00:00
c2bb97e7e6
programs: ethtool: sandbox
2024-02-16 10:38:39 +00:00
3cbdc03369
programs: zeal: disable sandboxing
2024-02-16 10:32:49 +00:00
5c7fa591a0
programs: sandbox: dtrx/e2fsprogs/efibootmgr/electrum
2024-02-16 10:32:18 +00:00
18c54e8b04
programs: sandbox cryptsetup and ddrescue (latter is untested, probably lacking!)
2024-02-16 10:05:24 +00:00
1416856fb6
programs: blueberry: sandbox
2024-02-16 07:58:00 +00:00
2a5bc6f612
programs: util-linux: disable sandbox
2024-02-16 07:37:59 +00:00
c56a6a8c24
programs: disable libcap_ng since it cant sandbox
2024-02-16 07:32:34 +00:00
f5a4bdedaf
programs: libcap_ng (netcap): disable sandbox
2024-02-16 07:32:05 +00:00
114a45f347
programs: pstree: sandbox
2024-02-16 06:57:45 +00:00
d53344d527
programs: killall: sandbox
2024-02-16 06:57:32 +00:00
561447de70
programs: shattered-pixel-dungeon: sandbox
2024-02-16 06:57:03 +00:00
9cc12fab5d
programs: gpodder: fix to work in sandbox (add dbus)
2024-02-16 06:07:46 +00:00
5cda3b2805
programs: firefox/fractal: document portal filechooser limitations
2024-02-16 05:49:56 +00:00
4afd56ff4c
programs: powertop: fix capabilities typo in sandbox definition
2024-02-16 05:49:13 +00:00
94b4f78e39
programs: lemoa: sandbox
2024-02-16 05:32:22 +00:00
3fd89ec91b
programs: sandbox powertop
2024-02-16 05:28:17 +00:00
4085828575
programs: sandbox parted
2024-02-16 05:28:07 +00:00
1a972927b6
programs: sandbox nethogs, nmon, nixpkgs-review
2024-02-16 05:27:50 +00:00
5f3ec42f57
programs: sandbox lsof with capsh only
...
can't get it to sandbox any more aggressively with either landlock or
bwrap
2024-02-16 04:55:18 +00:00
28aaeb051f
programs: disable sandboxing for strace and screen
2024-02-16 04:51:52 +00:00
9d252d095e
programs: htop/iotop/iftop: sandbox
2024-02-16 04:51:18 +00:00
4e5e4219ec
programs: usbutils: sandbox
2024-02-16 04:03:47 +00:00
824dd7c1f5
programs: endless-sky: sandbox with bwrap
2024-02-16 04:00:27 +00:00
b840a0d61c
programs: space-cadet-pinball: sandbox w/ bwrap
2024-02-16 03:58:09 +00:00
36bcecfd68
programs: sort
2024-02-16 03:53:53 +00:00
c3a5fb9394
programs: wdisplays: sandbox with bwrap
2024-02-16 03:53:27 +00:00
30507c3564
programs: soundconverter: sandbox with bwrap
2024-02-16 03:51:23 +00:00
2b66ffc58a
programs: feedbackd: sandbox w/ bwrap
2024-02-16 03:49:59 +00:00
48d96c1f36
programs: hase: sandbox with bwrap
...
couldn't test the net feature, because hase servers have since gone
offline :((
2024-02-16 03:48:59 +00:00
cdf61755a3
programs: splatmoji: document the sandboxing approach
2024-02-16 03:46:48 +00:00
511752fab5
programs: xdg-desktop-portal{-gtk,-wlr}: enable sandbox
2024-02-16 03:17:19 +00:00
40ed7cff1b
programs: git: fix failing sandbox build
2024-02-16 03:16:46 +00:00
5e7f914354
programs: superTux: fix failing sandbox build
2024-02-16 03:16:28 +00:00
0dec8b6d5b
programs: fontconfig: sandbox
2024-02-15 18:26:45 +00:00
7eaffc9fa0
programs: w3m: enable sandbox
2024-02-15 18:25:48 +00:00
b7c1a6331d
programs: mate.engrampa: enable sandbox
2024-02-15 18:24:27 +00:00
d6868d58e6
xdg-desktop-portal: disable sandbox
2024-02-15 18:23:40 +00:00