|
e8748ce0a0
|
servo: lemmy: pict-rs: port the media-enable-full-video -> media-video-allow-audio CLI flag
|
2024-01-23 17:12:13 +00:00 |
|
|
7cf9b342cc
|
gpodder: fixup GPODDER_DOWNLOAD_DIR to be more friendly to sandboxing
|
2024-01-23 16:44:47 +00:00 |
|
|
8739851f48
|
evince: port sandbox from firejail to bwrap
|
2024-01-23 16:44:13 +00:00 |
|
|
d945b43f6b
|
signal-desktop: switch sandbox from firejail -> bwrap
|
2024-01-23 16:42:48 +00:00 |
|
|
fcc3ea1e39
|
todo: update containerization tasks
|
2024-01-23 16:41:06 +00:00 |
|
|
7722acecee
|
sway: obtain deps via "config.sane.programs", so that i get the sandboxed version of e.g. splatmoji
|
2024-01-23 16:32:42 +00:00 |
|
|
bdd70f8fa2
|
sane-sandboxed: ignore the executable path when autodetecting media
|
2024-01-23 16:32:06 +00:00 |
|
|
571a0a9d06
|
gui: disable unused abaddon app
|
2024-01-23 16:30:06 +00:00 |
|
|
ccf4f66dd9
|
programs: dialect: sandbox with bubblewrap
|
2024-01-23 16:23:14 +00:00 |
|
|
b38e5403a5
|
splatmoji: sandbox
|
2024-01-23 16:01:27 +00:00 |
|
|
09af041745
|
g4music: ensure it can access the Music dir in its sandbox
|
2024-01-23 16:00:21 +00:00 |
|
|
cb5131746f
|
programs: audacity: sandbox with bubblewrap
|
2024-01-23 15:59:50 +00:00 |
|
|
2fbd0f8ee1
|
nixpatches: apply bonsai refactor PR
|
2024-01-23 15:50:32 +00:00 |
|
|
bfd5630e21
|
programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths
|
2024-01-23 15:48:12 +00:00 |
|
|
026f5dee4d
|
programs: g4music: sandbox with bwrap
|
2024-01-23 15:06:45 +00:00 |
|
|
b59be8338a
|
firefox: fix up sandboxing of ssh/sops
|
2024-01-23 14:57:57 +00:00 |
|
|
ab4bbc2224
|
programs: remove explicit firejail installation; let sane.programs decide when to install it sys-wide
|
2024-01-23 14:57:33 +00:00 |
|
|
156fcd1bf2
|
aerc: enable bwrap sandbox
|
2024-01-23 14:57:33 +00:00 |
|
|
576d2c32f0
|
programs: support secrets even when sandboxed
|
2024-01-23 14:57:33 +00:00 |
|
|
bb63a594ab
|
conky: fixup needed paths for bwrap
|
2024-01-23 14:57:33 +00:00 |
|
|
25739ec2ba
|
programs: sane-sandboxed: avoid reading firejail profiles when the backend isnt firejail
this should provide a marginal perf gain
|
2024-01-23 14:57:33 +00:00 |
|
|
f148334b58
|
programs: port extraFirejailConfig to extraConfig
|
2024-01-23 14:57:33 +00:00 |
|
|
da537ea8ea
|
fractal: switch from firejail -> bwrap
|
2024-01-23 14:13:09 +00:00 |
|
|
18d224dc34
|
dino: switch from firejail to bwrap
|
2024-01-23 14:12:52 +00:00 |
|
|
3a6ee8708e
|
programs: sane-sandboxed: dont error if network mountpoints are offline
|
2024-01-23 13:13:31 +00:00 |
|
|
983bf93d8f
|
programs: sane-sandboxed: make the profile handle arguments with spaces
|
2024-01-23 12:47:25 +00:00 |
|
|
40cc8f5d1c
|
programs: sane-sandboxed: make more debuggable
|
2024-01-23 12:27:23 +00:00 |
|
|
cce03a5dc8
|
programs: sandbox: use --dev-bind-try for root paths; fixes mpv on moby
|
2024-01-23 12:18:32 +00:00 |
|
|
38fd171713
|
spotify: sandbox with bwrap instead of firejail
|
2024-01-23 12:12:56 +00:00 |
|
|
84c78d9256
|
conky: sandbox with bwrap instead of firejail
|
2024-01-23 12:11:22 +00:00 |
|
|
973203d85e
|
programs: mpv: sandbox with bwrap instead of firejail
|
2024-01-23 11:37:37 +00:00 |
|
|
f9174dd2aa
|
programs: firefox: sandbox with bwrap instead of firejail
|
2024-01-23 11:37:19 +00:00 |
|
|
98dfc3aa5a
|
programs: sandbox: allow all programs to access media
hopefully this is just a stopgap
|
2024-01-23 11:36:58 +00:00 |
|
|
27b56b1a12
|
programs: sane-sandbox: implement a cleaner debugshell and test API
|
2024-01-23 11:19:52 +00:00 |
|
|
6e9220d2bb
|
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing
|
2024-01-23 10:44:13 +00:00 |
|
|
0ddcfcaa23
|
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds
|
2024-01-23 08:01:23 +00:00 |
|
|
a4cb6645b4
|
programs: indirect firejail access through sane-sandboxed
|
2024-01-23 04:02:31 +00:00 |
|
|
2492ed2ca7
|
programs: introduce a sane-sandboxed helper
not yet used, but will be soon
|
2024-01-23 02:29:33 +00:00 |
|
|
f49d2a1e0e
|
programs: split "makeSandboxed" into its own file
|
2024-01-23 01:23:14 +00:00 |
|
|
0dc3f4f7f2
|
modules/programs: move to subdir
this will help me factor out helpers
|
2024-01-23 01:02:04 +00:00 |
|
|
0bed4d0ada
|
mpv: disable firejail sandboxing (it fails on moby)
|
2024-01-23 01:01:21 +00:00 |
|
|
f3e8af3fdb
|
doc: libreoffice: mention "still" v.s. "fresh" variants
|
2024-01-23 01:00:34 +00:00 |
|
|
af542ec05f
|
docs: gnome-keyring: point out that system gnome-keyring doesn't inherit my sandboxing
|
2024-01-23 01:00:06 +00:00 |
|
|
399a1d2052
|
steam: use wrapped package as system steam
|
2024-01-23 00:59:23 +00:00 |
|
|
bb6e5611d4
|
docs: conky: point out that un-sandboxed conky is used by sxmo-utils
|
2024-01-23 00:58:56 +00:00 |
|
|
d5901afb8e
|
programs: firejail: specify profile via : (clarifies to firejail that its an identifier and not a path); invoke firejail via name instead of absolute path
|
2024-01-22 23:58:54 +00:00 |
|
|
c11f5a1401
|
wireshark: fix security.wrappers when wireshark is disabled
|
2024-01-22 23:58:04 +00:00 |
|
|
5b220f3fec
|
wireshark: enable firejail isolation
|
2024-01-22 13:12:10 +00:00 |
|
|
8bf41ea858
|
programs: fix missing newline in firejail config concatenation
|
2024-01-22 13:11:47 +00:00 |
|
|
df861a3ef0
|
programs: firejail: inject custom firejail config through /etc/firejail
this improves rebuild times, and makes it easier for packages to inject their own free-form config
|
2024-01-22 11:12:18 +00:00 |
|