colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
9,091 Commits 141 Branches 1 Tag
a72bc90e901b8801c881c99a162348bdacc18e1c
Commit Graph

21 Commits

Author SHA1 Message Date
Colin
568ff01bc1 seatd: remove --bunpen-debug=4 flag 2024-11-13 11:47:47 +00:00
Colin
11b706b132 refactor: use lib.getExe where applicable 2024-10-12 19:34:42 +00:00
Colin
995db12ec4 seatd: declare the runtime dir with systemd.tmpfiles instead of sane.fs 2024-09-28 14:25:40 +00:00
Colin
31615340a7 programs/assorted: remove explicit (and extraneous) sandbox.method = "bunpen" declarations 2024-09-21 23:35:06 +00:00
Colin
aeea904e5b seatd/bunpen: remove the need for CAP_SETPCAP 2024-09-07 18:58:47 +00:00
Colin
30060e4bb1 bunpen/seatd: remove CAP_NET_ADMIN: creating a net namespace does NOT require that, rather it was a quirk in bwrap 2024-09-07 18:32:29 +00:00
Colin
9b8bdfaf5e seatd: ACTUALLY sandbox with bunpen 2024-09-07 18:24:33 +00:00
Colin
f68fbb0e0b bunpen/seatd namespacing: clarify that CAP_NET_ADMIN requirement is surprising 2024-09-07 17:14:50 +00:00
Colin
7ce82ca735 seatd: remove no-longer-necessary ambient caps 2024-09-07 17:01:05 +00:00
Colin
454c109ef8 seatd: sandbox with bunpen 2024-09-07 15:39:50 +00:00
Colin
8255e419be modules/programs: rename "keepUsers" -> "tryKeepUsers" 2024-09-06 06:32:49 +00:00
Colin
9340f52df1 modules/programs: rename isolatePids -> keepPids, isolateUsers -> keepUsers 
this follows my explicit whitelisting elsewhere
 2024-09-06 04:06:42 +00:00
Colin
f8aea34e96 sanebox: bwrap: make user namespace unsharing more obvious 2024-08-07 21:23:21 +00:00
Colin
49efb94a0a seatd: restrict capabilities 2024-08-07 20:30:29 +00:00
Colin
9b1e053ead seatd: place the socket in a place that lends itself to better sandboxing 2024-08-07 19:37:20 +00:00
Colin
e355a4b2eb assorted: remove no-longer-needed sanebox PATH fixes 2024-07-16 07:24:56 +00:00
Colin
f1d397940f seatd: patch sandboxing for desko 2024-05-29 19:42:45 +00:00
Colin
fa94fa8e6c seatd: sandbox with bwrap 
it always surprises my that you can sandbox something with cap_sys_admin like this...

i think this works *only* because the user is root
 2024-05-29 19:09:57 +00:00
Colin
4b9c125c8c seatd: sandbox 2024-05-29 18:58:38 +00:00
Colin
635ca1e5d8 seatd: pull the service definition into my own repo 
this will allow me to configure the package
 2024-05-29 16:34:32 +00:00
Colin
2789868703 seatd: split out of sway conf 2024-05-29 16:22:52 +00:00