|
27b56b1a12
|
programs: sane-sandbox: implement a cleaner debugshell and test API
|
2024-01-23 11:19:52 +00:00 |
|
|
6e9220d2bb
|
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing
|
2024-01-23 10:44:13 +00:00 |
|
|
0ddcfcaa23
|
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds
|
2024-01-23 08:01:23 +00:00 |
|
|
a4cb6645b4
|
programs: indirect firejail access through sane-sandboxed
|
2024-01-23 04:02:31 +00:00 |
|
|
2492ed2ca7
|
programs: introduce a sane-sandboxed helper
not yet used, but will be soon
|
2024-01-23 02:29:33 +00:00 |
|
|
f49d2a1e0e
|
programs: split "makeSandboxed" into its own file
|
2024-01-23 01:23:14 +00:00 |
|
|
0dc3f4f7f2
|
modules/programs: move to subdir
this will help me factor out helpers
|
2024-01-23 01:02:04 +00:00 |
|
|
0bed4d0ada
|
mpv: disable firejail sandboxing (it fails on moby)
|
2024-01-23 01:01:21 +00:00 |
|
|
f3e8af3fdb
|
doc: libreoffice: mention "still" v.s. "fresh" variants
|
2024-01-23 01:00:34 +00:00 |
|
|
af542ec05f
|
docs: gnome-keyring: point out that system gnome-keyring doesn't inherit my sandboxing
|
2024-01-23 01:00:06 +00:00 |
|
|
399a1d2052
|
steam: use wrapped package as system steam
|
2024-01-23 00:59:23 +00:00 |
|
|
bb6e5611d4
|
docs: conky: point out that un-sandboxed conky is used by sxmo-utils
|
2024-01-23 00:58:56 +00:00 |
|
|
d5901afb8e
|
programs: firejail: specify profile via : (clarifies to firejail that its an identifier and not a path); invoke firejail via name instead of absolute path
|
2024-01-22 23:58:54 +00:00 |
|
|
c11f5a1401
|
wireshark: fix security.wrappers when wireshark is disabled
|
2024-01-22 23:58:04 +00:00 |
|
|
5b220f3fec
|
wireshark: enable firejail isolation
|
2024-01-22 13:12:10 +00:00 |
|
|
8bf41ea858
|
programs: fix missing newline in firejail config concatenation
|
2024-01-22 13:11:47 +00:00 |
|
|
df861a3ef0
|
programs: firejail: inject custom firejail config through /etc/firejail
this improves rebuild times, and makes it easier for packages to inject their own free-form config
|
2024-01-22 11:12:18 +00:00 |
|
|
d6754b6cac
|
evince: sandbox with firejail
|
2024-01-22 10:20:29 +00:00 |
|
|
b03d7f7fb0
|
geary: test the firejail profile; it's not ready
|
2024-01-22 10:04:18 +00:00 |
|
|
008b186479
|
audacity: test the firejail profile; it's not ready
|
2024-01-22 10:04:03 +00:00 |
|
|
914f9b3703
|
vlc: sandbox with firejail
|
2024-01-22 09:47:24 +00:00 |
|
|
ed7ec4a371
|
conky: sandbox with firejail
|
2024-01-22 09:31:00 +00:00 |
|
|
2d338201a5
|
signal-desktop: sandbox with firejail
TODO: fix URL opening / xdg-open
|
2024-01-22 09:30:34 +00:00 |
|
|
a8aad1f98f
|
dino: sandbox with firejail
TODO: fix URL opening / xdg-open
|
2024-01-22 09:30:13 +00:00 |
|
|
2d06b93118
|
fractal: sandbox with firejail
TODO: seems this broke link opening? (xdg-open?)
|
2024-01-22 09:28:50 +00:00 |
|
|
60547204a8
|
sane.programs: firejail: support wrapping "runCommand" packages
|
2024-01-22 09:16:25 +00:00 |
|
|
3d763a0021
|
tor-browser-bundle-bin -> tor-browser
upstream nixpgs just has tor-browser-bundle-bin as an alias for tor-browser
|
2024-01-22 08:13:37 +00:00 |
|
|
ad474873e2
|
dovecot: fix unparseable config
upstream/nixpkgs is doing some shit, ugh
|
2024-01-22 08:09:37 +00:00 |
|
|
dd35136ac0
|
firejail: fix so /run/wrappers are available inside a jail
|
2024-01-22 07:18:50 +00:00 |
|
|
cfe6e9c20a
|
nixpkgs: 2024-01-19 -> 2024-01-22
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/331c78971299375240001d946861951b6cc98176' (2024-01-19)
→ 'github:nixos/nixpkgs/dceddd03df4f840ea28c65887c199495793fb322' (2024-01-22)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/bbec4099302591a41304d360e3bab805e5ccc0be' (2024-01-19)
→ 'github:nixos/nixpkgs/8cccce637e19577815de54c5ecc3132dff965aee' (2024-01-22)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/87755331580fdf23df7e39b46d63ac88236bf42c' (2024-01-15)
→ 'github:Mic92/sops-nix/ae171b54e76ced88d506245249609f8c87305752' (2024-01-21)
```
|
2024-01-22 04:05:59 +00:00 |
|
|
0f3f0933b1
|
mpv: sandbox with firejail
|
2024-01-22 03:50:28 +00:00 |
|
|
f8440e3811
|
go2tv: allow more ports through the firewall
|
2024-01-22 03:50:04 +00:00 |
|
|
829460a076
|
todo: update firejail/sandboxing tasks
|
2024-01-22 02:04:32 +00:00 |
|
|
9ecd0adcbe
|
firefox: sandbox with firejail
TODO: get it so open-in-mpv launches an mpv that has access to ~/.config/mpv
i guess this is the 'firejail url problem'
|
2024-01-21 23:59:15 +00:00 |
|
|
ad92a2e158
|
programs: abort when no firejail profile is found for a program.
in the future, i can whitelist specific binaries to omit their firejail
profiles.
|
2024-01-21 04:32:49 +00:00 |
|
|
5f5891d241
|
programs: apply firejail profile to programs which are net isolated
|
2024-01-21 04:28:48 +00:00 |
|
|
cf475c4696
|
nicotine-plus: remove distro-specific symlink
|
2024-01-21 03:56:33 +00:00 |
|
|
992194a1f0
|
programs: achieve network sandboxing without "sane-vpn do"
|
2024-01-21 03:51:12 +00:00 |
|
|
bad6a7bfee
|
programs: implement "default vpn" with native nix code instead of sane-vpn
|
2024-01-21 01:04:31 +00:00 |
|
|
66d5e204be
|
vpn: enforce "id" restrictions
|
2024-01-21 00:57:46 +00:00 |
|
|
ce35330923
|
vpn.nix: factor into a proper module
this will allow for better integration with 'sane.programs'
|
2024-01-21 00:49:34 +00:00 |
|
|
bdab1aa7e3
|
firefox-extensions: update to latest
|
2024-01-20 21:30:15 +00:00 |
|
|
080c8dbe3d
|
sane-bt-search: try to install some logging for a sporadic error
|
2024-01-20 21:19:18 +00:00 |
|
|
a31fe44624
|
sane-bt-add: handle https:// URIs which forward to magnet:
|
2024-01-20 21:18:58 +00:00 |
|
|
59187a0ec0
|
programs: allow running binaries in a netns-style firejail
|
2024-01-20 11:11:12 +00:00 |
|
|
03fbf42680
|
servo: lemmy: pict-rs: fix broken CLI argument
|
2024-01-20 03:15:06 +00:00 |
|
|
f3b2a98874
|
firejail: fix cross compilation
|
2024-01-20 03:14:32 +00:00 |
|
|
2e9084c9ef
|
nixpkgs: 2024-01-14 -> 2024-01-19; sops-nix -> 2024-01-15
```
• Updated input 'nixpkgs-next-unpatched':
'github:nixos/nixpkgs/724e39ebb9b8eda97f17d423f66fbc5a991f4f8d' (2024-01-14)
→ 'github:nixos/nixpkgs/331c78971299375240001d946861951b6cc98176' (2024-01-19)
• Updated input 'nixpkgs-unpatched':
'github:nixos/nixpkgs/6c08fe3ccf437d8b26bec010fd925ddd6bb0d0d5' (2024-01-14)
→ 'github:nixos/nixpkgs/bbec4099302591a41304d360e3bab805e5ccc0be' (2024-01-19)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/70dd0d521f7849338e487a219c1a07c429a66d77' (2024-01-14)
→ 'github:Mic92/sops-nix/87755331580fdf23df7e39b46d63ac88236bf42c' (2024-01-15)
```
|
2024-01-20 03:14:32 +00:00 |
|
|
0907240fda
|
sane-vpn: implement the "do" command, to run a program in a netns
|
2024-01-19 22:55:26 +00:00 |
|
|
7d670facd4
|
feeds: sort
|
2024-01-19 21:38:45 +00:00 |
|