af72f312d3
sandbox: remove /run/wrappers: SUID wrappers dont really accomplish much inside a namespace
2024-05-26 01:18:30 +00:00
73f5c9608e
sanebox: tighter dependency handling, to not rely on @BACKEND_FALLBACK@
2024-05-25 10:26:36 +00:00
b035d312aa
firejail: purge
2024-05-25 10:21:31 +00:00
7b1bc210fd
sanebox: integrate with pasta
(passt) for better net sandboxing
2024-05-25 09:39:18 +00:00
118ed5f950
sanebox: populate --sanebox-net-dev with the actual net device -- not the bridge
2024-05-25 08:17:38 +00:00
ffe599e5cb
sanebox: rename --sanebox-net to --sanebox-net-dev
2024-05-25 08:13:35 +00:00
cbbddee152
modules/programs: add ~/.config/FOO and ~/.local/share/FOO to the sandbox where applicable
2024-05-18 06:32:07 +00:00
b5502ea401
sanebox: remove --sanebox-cache-symlink flag
2024-05-15 23:59:38 +00:00
1211023c55
modules/programs: remove dead code from per-user profiles
2024-05-15 23:58:10 +00:00
b4229ecb1e
sanebox: load the link cache from a static /etc path instead of via CLI args
2024-05-15 23:55:15 +00:00
348837ff4a
programs: sandboxing: replace profiles with raw CLI args
2024-05-15 09:13:20 +00:00
17eaa7446a
sanebox: remove all profile-related features except for direct, path-based profile loading
2024-05-15 09:13:20 +00:00
530664294a
programs: sandbox: always specify --sanebox-profile-dir instead of loading from XDG_DATA_DIRS
2024-05-15 08:54:16 +00:00
b649071d98
programs: sandboxing: make the profiles be generic across users
...
this is a step toward making the profile not even be dynamically loaded, since its content is no longer dynamic :)
2024-05-15 08:48:09 +00:00
ea2653b7ce
programs: sandboxing: pass home- and runtime-relative paths to the sandboxer, instead of making absolute first
2024-05-15 08:20:09 +00:00
4c1b1282d6
modules/programs: sandbox: be compatible with systemd resolved again
2024-05-15 02:57:40 +00:00
adfaa7f9c1
sane-sandboxed -> sanebox
2024-05-15 01:41:40 +00:00
bee3eea040
modules/programs: sandbox: remove no-longer-needed /run/systemd/resolve from sandbox
2024-05-14 04:18:29 +00:00
f3106ee316
programs: maxBuildCost: fix to actually build everything by default
2024-05-13 22:57:40 +00:00
43d32641f3
programs: buildCost: introduce a new level between min
and light
2024-05-13 22:45:33 +00:00
46d95805e9
programs: simplify sandbox symlink closure code
2024-05-13 07:49:00 +00:00
bd3e06982b
sane-sandboxed: tweak symlink caching to allow /run/current-system to be bind-mounted instead of symlinked
2024-05-13 02:11:47 +00:00
660ba94c7c
sane-sandboxed: introduce a symlink cache to reduce readlink
calls even more
...
it's all a bit silly. i still do a bunch of -L tests: i just avoid the costly readlink fork :|
2024-05-13 01:31:30 +00:00
2eea562d1f
sandbox: remove unused "binMap" option
2024-04-15 19:56:33 +00:00
0385c09f23
sane-sandboxed: split out into an actual package
2024-04-15 18:57:22 +00:00
4b22fd95bf
introduce 'moby-min' host variant for the quickest deployment (no webkitgtk)
2024-04-13 20:29:24 +00:00
febedb9323
nits: update --replace
uses to --replace-{fail,quiet}
as appropriate
2024-03-24 12:49:18 +00:00
03fbb780b2
sane.programs: sandbox: refactor extraRuntimePaths computation
2024-03-24 12:03:38 +00:00
9c0b175260
swaync: allow toggling of s6 services
2024-03-24 11:54:12 +00:00
6102a0301d
sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox
2024-03-23 16:37:22 +00:00
5205251f6f
programs: xwayland: sandbox it without exposing net access
2024-03-23 15:33:23 +00:00
8c48adefa5
pipewire: move sockets into a subdirectory for easier sandboxing
2024-03-23 13:34:13 +00:00
70b5c57b50
modules/programs: enforce (or rather document) a stricter schema
...
this should make it easier to switch to a different service manager
2024-03-21 17:16:01 +00:00
b25df1d997
sane-sandboxed: fix capabilities example
2024-03-14 01:36:46 +00:00
4510352c07
sane-sandboxed: implement --sane-sandbox-no-portal flag
2024-03-13 04:49:48 +00:00
430592632c
sane-sandboxed: add a help message
2024-03-13 04:49:48 +00:00
56aca78d84
make-sandboxed: also sandbox the .lib
output of a package
2024-03-13 04:49:48 +00:00
8029744c90
modules/programs: don't expose *all* of /run/secrets/home to every program
...
this was actually causing a lot of bwrap errors because that directory's not user-readable
turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following
2024-03-02 18:51:39 +00:00
a45e42910d
make-sandboxed: generalize runCommand patch to handle any derivation, called with or without callPackage
2024-03-02 07:11:45 +00:00
db89ac88f0
sane-sandboxed: add new --sane-sandbox-keep-namespace all
option
2024-03-01 20:48:56 +00:00
40e30cf2f8
programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that
2024-02-28 17:39:00 +00:00
812c0c8029
packages: reduce the number of packages which are using inplace sandbox wrapping
2024-02-28 17:35:40 +00:00
a4248fd5cc
make-sandboxed: don't try to wrap directories
...
whoops. test -x is true for directories
2024-02-28 16:28:25 +00:00
b302113fc0
modules/programs: require manual definition; don't auto-populate attrset
...
this greatly decreases nix eval time
2024-02-28 13:35:09 +00:00
6ef729bbaf
assorted: prefer runCommandLocal over runCommand where it makes sense
2024-02-27 22:26:56 +00:00
8f424dcd5a
programs: sandboxing: link /etc into sandboxed programs
...
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
2024-02-27 22:25:17 +00:00
d2df668c9e
modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts>
2024-02-25 12:00:00 +00:00
f807d7c0a2
modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead
...
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
2024-02-25 08:15:39 +00:00
73b2594d9b
programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent"
2024-02-25 01:59:01 +00:00
a55dc5332d
modules/programs: sane-sandboxed: introduce "existingOrParent" autodetect-cli option
...
some programs will want this, to create directories by name; e.g. archive managers
2024-02-25 01:48:10 +00:00