colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
4,749 Commits 125 Branches 1 Tag 12 MiB
a6b824d3c4
Commit Graph

4749 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Colin
a6b824d3c4 modules/programs/sandbox: add an "embedProfile" option to source sandbox settings from the package instead of the system 2024-01-27 12:23:25 +00:00
Colin
79ee47bada firefox: get away with linking slightly less into the sandbox 2024-01-27 11:41:18 +00:00
Colin
be06e61bfb programs: geary: fix sandboxing 
this is an UGLY one. geary itself uses bwrap, and that fails if it's sandboxed AT ALL in landlock (i.e. even with just / landlocked as RW).

maybe this has to do with what landlock-sandboxer considers 'read/write' to be, and there's actually more file ops i need to enable on /
 2024-01-27 11:28:08 +00:00
Colin
3b4884fcf1 sane-sandbox: fix secret binding 2024-01-27 11:26:10 +00:00
Colin
4319dc58eb programs: landlock: restrict the capabilities of sandboxed processes 2024-01-27 09:49:51 +00:00
Colin
3122434908 programs: add an option to configure extra home paths to make accessible in the sandbox 2024-01-27 09:11:32 +00:00
Colin
dae7785ee2 wireshark: remove dead code 2024-01-27 09:04:08 +00:00
Colin
d54f8b1e93 programs: fix so environment variables make it onto user sessions 2024-01-27 09:02:55 +00:00
Colin
27f3b2bd76 firefox: allow ~/tmp and ~/Pictures access 2024-01-27 06:00:46 +00:00
Colin
b417f60769 sane-sandboxed: try binding /proc/self in landlock. still doesnt work well 2024-01-27 05:59:40 +00:00
Colin
df2d5b6d01 sane-sandboxed: fixup /dev/std* for wireshark 2024-01-27 05:12:43 +00:00
Colin
3e6278fa21 wireshark: sandbox with landlock instead of firejail 
and remove the SUID wrapper, yay!
 2024-01-27 04:44:21 +00:00
Colin
a66b257644 sane-sandboxed: better support for landlock and SANE_SANDBOX_PREPEND/APPEND 2024-01-27 04:43:42 +00:00
Colin
ef66d2ec72 sane-sandboxed: add support for landlock backend 2024-01-27 03:39:26 +00:00
Colin
e21dbd507d landlock-sandboxer: init 2024-01-26 16:52:33 +00:00
Colin
64878bee67 sane-sandboxed: add SANE_SANDBOX_PREPEND, SANE_SANDBOX_APPEND env vars 2024-01-26 09:14:18 +00:00
Colin
557a080ffc TODO.md: try landlocked for sandboxing, instead of bubblewrap 2024-01-26 09:13:46 +00:00
Colin
8ecb17ed3e programs: enable libcap_ng/netcap 2024-01-26 09:13:20 +00:00
Colin
c4874c85b1 bubblewrap: debugging 2024-01-26 09:13:00 +00:00
Colin
563a75e9b2 users: launch entire systemd --user namespace with cap_net_admin, cap_net_raw 
this should make sandboxing wireshark *much* easier, and same with things which require net namespaces, in the future
 2024-01-25 15:05:35 +00:00
Colin
7f002b8718 programs: sane-sandboxed: implement --sane-sandbox-cap for capabilities setting 2024-01-24 06:34:11 +00:00
Colin
79e2bd2913 epiphany: sandbox with bwrap 
this is the first app which *requires* DRI/DRM to function correctly. maybe this effects anything webkitgtk (like wike)?
 2024-01-24 06:25:20 +00:00
Colin
95161b55cd spot: sandbox with bwrap 2024-01-24 05:47:04 +00:00
Colin
d91759068c element-desktop: sandbox with bwrap 2024-01-24 05:37:46 +00:00
Colin
c23c496066 programs: tuba: sandbox with bwrap 
it complains "Fontconfig error: No writable cache directories"
seeeeeveral times. not sure if that's new or not. no obvious
consequences.
 2024-01-24 05:34:10 +00:00
Colin
824630f7d1 programs: sandboxing: document /dev/dri a bit more 2024-01-24 05:28:27 +00:00
Colin
f8e8d23857 vlc: sandbox with bwrap instead of firejail 2024-01-24 05:19:20 +00:00
Colin
8484bb7978 docs: mime: document how to show the nix mime associations 2024-01-24 05:00:35 +00:00
Colin
57105c6861 sane-sandboxed: autodetect: handle file:/// URIs 2024-01-24 05:00:08 +00:00
Colin
3758044e7b sane-sandboxed: better handle "--" 2024-01-24 04:59:24 +00:00
Colin
bfaf098c31 sane-sandboxed: fix handling of -- (which previously smushed arguments) 2024-01-24 02:52:01 +00:00
Colin
0e99b296bc animatch: remove the (unused) .config directory 2024-01-24 02:18:58 +00:00
Colin
089f86d5e4 programs: make /usr/bin/env available in the sandbox 
enables KOReader to run
 2024-01-24 01:48:02 +00:00
Colin
d0e1241bd1 animatch: fix to run on wayland w/o Xwayland, and enable bwrap sandbox 2024-01-24 01:43:33 +00:00
Colin
c1a0a08b76 gtkcord4: sandbox with bwrap 2024-01-24 00:12:12 +00:00
Colin
e8748ce0a0 servo: lemmy: pict-rs: port the media-enable-full-video -> media-video-allow-audio CLI flag 2024-01-23 17:12:13 +00:00
Colin
7cf9b342cc gpodder: fixup GPODDER_DOWNLOAD_DIR to be more friendly to sandboxing 2024-01-23 16:44:47 +00:00
Colin
8739851f48 evince: port sandbox from firejail to bwrap 2024-01-23 16:44:13 +00:00
Colin
d945b43f6b signal-desktop: switch sandbox from firejail -> bwrap 2024-01-23 16:42:48 +00:00
Colin
fcc3ea1e39 todo: update containerization tasks 2024-01-23 16:41:06 +00:00
Colin
7722acecee sway: obtain deps via "config.sane.programs", so that i get the sandboxed version of e.g. splatmoji 2024-01-23 16:32:42 +00:00
Colin
bdd70f8fa2 sane-sandboxed: ignore the executable path when autodetecting media 2024-01-23 16:32:06 +00:00
Colin
571a0a9d06 gui: disable unused abaddon app 2024-01-23 16:30:06 +00:00
Colin
ccf4f66dd9 programs: dialect: sandbox with bubblewrap 2024-01-23 16:23:14 +00:00
Colin
b38e5403a5 splatmoji: sandbox 2024-01-23 16:01:27 +00:00
Colin
09af041745 g4music: ensure it can access the Music dir in its sandbox 2024-01-23 16:00:21 +00:00
Colin
cb5131746f programs: audacity: sandbox with bubblewrap 2024-01-23 15:59:50 +00:00
Colin
2fbd0f8ee1 nixpatches: apply bonsai refactor PR 2024-01-23 15:50:32 +00:00
Colin
bfd5630e21 programs: sandbox: omit media dirs by default, and implement --sane-sandbox-autodetect for programs which are liable to load data from paths 2024-01-23 15:48:12 +00:00
Colin
026f5dee4d programs: g4music: sandbox with bwrap 2024-01-23 15:06:45 +00:00