8029744c90
modules/programs: don't expose *all* of /run/secrets/home to every program
...
this was actually causing a lot of bwrap errors because that directory's not user-readable
turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following
2024-03-02 18:51:39 +00:00
40e30cf2f8
programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that
2024-02-28 17:39:00 +00:00
b302113fc0
modules/programs: require manual definition; don't auto-populate attrset
...
this greatly decreases nix eval time
2024-02-28 13:35:09 +00:00
73b2594d9b
programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent"
2024-02-25 01:59:01 +00:00
88a70b41f1
modules/programs: handle more symlink forms when calculating a program's sandbox closure
2024-02-24 11:47:39 +00:00
6f59254a22
modules/programs: fix symlink following
2024-02-24 05:36:44 +00:00
170eeeacc4
programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure
2024-02-23 07:06:29 +00:00
5f1036118f
modules/programs: sandboxing: add a "whitelistX" option
2024-02-15 00:09:16 +00:00
22ca253ae0
modules/programs: better document the env
option
2024-02-14 11:08:43 +00:00
8b32f2f231
modules/programs: add support for 'autodetectCliPaths = parent'
2024-02-14 04:31:59 +00:00
080bd856ec
programs: sandboxing: only permit wayland socket access to those specific apps which require it
2024-02-14 01:49:49 +00:00
34b148f6cc
modules/programs: allow specifying perlPackages members as programs, as i do with python3Packages, etc
2024-02-13 12:31:04 +00:00
1a18ed533b
programs: don't include dbus in the sandbox by default
2024-02-13 11:58:33 +00:00
6eaaeeb91a
programs: remove audio from the sandbox by default
2024-02-13 11:14:38 +00:00
bb68506839
modules/programs: add separate "user" v.s. "system" options for whitelistDbus
2024-02-13 10:55:10 +00:00
126f3e4922
programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default
2024-02-13 10:28:30 +00:00
73afceb8c6
modules/programs: sandbox: add whitelistWayland
option
2024-02-13 10:24:35 +00:00
27fd81ad80
modules/programs: add new options for whitelisting audio/dbus
2024-02-12 15:23:35 +00:00
7b28023e08
modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr
2024-02-12 14:27:48 +00:00
b0394d877d
modules/programs: rename allowedRootPaths -> allowedPaths
...
now that allowedHomePaths doesn't exist
2024-02-12 13:00:10 +00:00
a90b5b53db
modules/programs: sandboxing: dereference symlinks and also include those in the sandbox
2024-02-12 12:48:02 +00:00
eee3e138ff
modules/programs: sandboxing: allow specifying individual /run/user/$uid paths to expose to the sandbox
2024-02-12 12:18:59 +00:00
f61cd17e99
modules/programs: sandboxing: specialize profiles per-user by expanding $HOME
2024-02-12 12:08:58 +00:00
3e0b0a0f02
modules/programs: make-sandboxed: lift profile creation logic out to the toplevel
2024-02-12 11:52:33 +00:00
2ee34e9af3
modules/profiles: remove sandbox.embedProfile option
...
with upcoming refactors, this setting would force a different package to be installed per user, which doesn't mesh with the existing sane.programs infra
2024-02-12 11:35:59 +00:00
93012664e5
modules/programs: simplify how sandbox profiles make it into system packages
2024-02-12 10:52:44 +00:00
0861edd7f9
modules/programs: remove ~/.config/mimeo from sandbox defaults
2024-02-11 23:35:27 +00:00
b6bf8720c9
modules/programs: implement --sane-sandbox-portal flag for apps which want to use the portal to open other apps
2024-02-11 23:32:24 +00:00
c9af5bf9b4
programs: sandboxing: enable net isolation for most sandboxed programs
2024-02-08 21:51:32 +00:00
bc85169e3d
programs: sandboxer: allow disable net access
2024-02-08 21:07:34 +00:00
0c050d1953
programs: fuzzel: fix overly-aggressive sandboxing
2024-02-06 20:10:29 +00:00
4d51c34ad2
programs: allow sane.strictSandboxing = "warn"
2024-02-05 05:28:02 +00:00
3439ca34b8
sane-sandboxed: add more autodetect options, and a "withEmbeddedSandboxer" package output (for dev)
2024-02-03 00:17:24 +00:00
2bb9115f35
modules/programs: sandboxing: add "whitelistDri" option for gfx-intensive apps
2024-02-02 17:18:51 +00:00
567c7993b6
modules/programs: sandbox: allow mimeo config in any sandbox
2024-02-02 12:52:36 +00:00
00f995aec9
fixup landlock-sandboxer to work well for all systems
...
downgrade lappy/desko/servo back to default linux; zfs doesn't support latest
build landlock-sandboxer against the specific kernel being deployed; it's less noisy that way
2024-01-31 21:19:10 +00:00
7af970f38c
modules/programs: extend wrapperType="wrappedDerivation" to handle common share/ items
2024-01-29 11:59:38 +00:00
7b9795ea3d
modules/programs: implement embedWrapper
option
2024-01-29 09:13:49 +00:00
f100595257
modules/programs: properly forward autodetectCliPaths to the sandboxer
2024-01-28 10:31:07 +00:00
42f9fa029d
modules/programs: fix that whitelistPwd wasnt passed into the sandbox profile
2024-01-28 09:04:27 +00:00
9261d30a34
modules/programs: reformatting
2024-01-28 05:58:08 +00:00
3eb3a8db5a
modules/programs: add a whitelistPwd
option to grant the program access to the directory it was called from
2024-01-28 05:57:30 +00:00
97129268f0
modules/programs: sandbox: add "capshonly" as a valid sandbox.method
2024-01-28 05:57:11 +00:00
4d7414c941
programs: introduce and use "autodetectCliPaths" nix config
2024-01-27 17:19:48 +00:00
a7d081bfcb
modules/programs: add a sane.strictSandboxing option
2024-01-27 17:11:07 +00:00
5ca208d07f
modules/programs: sandbox: add enable flag and capabilities structured config
2024-01-27 17:08:27 +00:00
d8b6d419b6
modules/programs: sandboxing: add wrapperType = "wrappedDerivation"
to wrap without rebuilding the whole package
2024-01-27 14:26:41 +00:00
a6b824d3c4
modules/programs/sandbox: add an "embedProfile" option to source sandbox settings from the package instead of the system
2024-01-27 12:23:25 +00:00
3b4884fcf1
sane-sandbox: fix secret binding
2024-01-27 11:26:10 +00:00
3122434908
programs: add an option to configure extra home paths to make accessible in the sandbox
2024-01-27 09:11:32 +00:00