Commit Graph

247 Commits

Author SHA1 Message Date
fc239cfa34 modules/programs: support mime.priority when handling duplicated env keys 2024-12-03 02:18:48 +00:00
de182e117d modules/programs: enable even more /dev/video devices inside the relevant sandboxes 2024-11-29 18:33:35 +00:00
02286a24ba modules/programs: add more /dev/video devices required by pinephone-pro rear camera 2024-11-29 18:29:35 +00:00
1f84fc4b2b programs: port a few programs from dconf -> gsettings, tested on desko 2024-11-07 05:06:44 +00:00
3a9e4af6da modules/programs: introduce a gsettings config option, which so far routes to dconf but later will stand alone 2024-11-07 03:30:34 +00:00
0dff9f993f browserpass: sandbox 2024-10-29 08:21:42 +00:00
864e75afce sanebox: purge 2024-10-29 05:59:01 +00:00
1c57b9ce9e programs/sandbox: include udev rules in the sandboxed program output
notably, this fixes feedbackd so that the PPP haptics/vibrator is writable by the user
2024-10-22 07:01:18 +00:00
dbc29db5fa modules/programs: update docs for tryKeepUsers 2024-10-16 00:18:06 +00:00
0744237c13 programs: fix most service invokers (sway, nwg-panel, etc) to use systemd 2024-10-03 03:20:05 +00:00
61df81291b refactor: optimize eval time
lifting `let` bindings up where possible helps reduce the number of thunks nix has to allocate. this patch only does that by 0.3%-ish, though
2024-10-01 03:54:44 +00:00
0c270fe4a3 WIP: sane.fs consumers: avoid wantedBy/wantedBeforeBy 2024-09-30 10:19:39 +00:00
edb665abd0 users: add a systemd backend for managing services 2024-09-28 03:38:46 +00:00
ea3eaf048e programs: sandbox with bunpen *by default*; manually opt out or opt to a different sandboxer where required 2024-09-21 23:00:49 +00:00
208b634040 programs/sandboxing: add required args to use pasta 2024-09-21 12:21:11 +00:00
8979ff0eec bunpen: plumb pasta related arguments into make-sandboxed
for testing only: these options don't yet have the intended effect
2024-09-19 23:54:43 +00:00
034c3f987e programs/make-sandboxed: fix for apps which ship thumbnailers (i.e. gnome papers) 2024-09-17 02:33:51 +00:00
e9decbbf40 sandboxing: add a global toggle to disable sandboxing 2024-09-16 00:38:02 +00:00
b5f9ba62d0 camera: fix sandboxing for pipewire (so snapshot can open the camera), and share that with megapixels (which opens it directly)
N.B. snapshot (pipewire) doesn't work with the current kernel deployment; it requires linux-postmarketos-allwinner and even then only the front camera works (at about 1 fps)

this wasn't always the case: i believe that once, the rear camera worked as well. although now i think about it, i'm not positive of that
2024-09-15 11:14:23 +00:00
6e0c83b4f3 modules/programs: don't install bunpen/sanebox unless some program actually requires it 2024-09-14 23:10:19 +00:00
b43ee23459 firefox: allow webcam access 2024-09-13 00:02:48 +00:00
3ef98a5ab3 modules/programs: support "sandbox.keepIpc = true" 2024-09-07 22:10:11 +00:00
8255e419be modules/programs: rename "keepUsers" -> "tryKeepUsers" 2024-09-06 06:32:49 +00:00
6e30527688 modules/programs: simplfiy the common combination of keeping pids AND /proc by introducing "keepPidsAndProc" 2024-09-06 04:18:46 +00:00
9340f52df1 modules/programs: rename isolatePids -> keepPids, isolateUsers -> keepUsers
this follows my explicit whitelisting elsewhere
2024-09-06 04:06:42 +00:00
850c975321 modules/programs: when sandboxing, use makeBinaryWrapper if supported 2024-09-06 01:17:21 +00:00
6ff35b4366 dbus: place the bus in a subdirectory for better sandboxing 2024-09-04 13:04:20 +00:00
50d443ad46 make-sandboxed: fix quoting error 2024-09-03 14:10:06 +00:00
ce7a082447 modules/programs: plum sandbox.keepPids and whitelistPwd into bunpen 2024-09-03 02:25:28 +00:00
41d9eccfe8 bunpen: preserve argv0 in the wrapper 2024-09-03 01:45:48 +00:00
3deb17125d make-sandboxed: handl polkit files when patching bin paths 2024-09-02 11:31:24 +00:00
4328a7ddf3 modules/programs: remove unused arguments 2024-09-02 10:26:42 +00:00
737df8c10e modules/programs: plumb capabilities into bunpen sandboxer 2024-08-30 20:36:11 +00:00
f26f13ddf3 bunpen: bind "safe"-ish /de items 2024-08-29 20:13:37 +00:00
14929c1102 programs: plum --bunpen-autodetect into modules/programs API 2024-08-28 11:37:18 +00:00
b9fc61e627 modules/programs: plumb bunpen's home/run path binds 2024-08-27 20:36:31 +00:00
3417a9fd3f sanebox: remove the portal logic, and delegate it to manual handling by those few apps which truly need special casing
it's a questionable responsibility to give to the sandbox itself (unless i also have the sandbox do things like dbus proxying, someday). and it will make the bunpen implementation simpler
2024-08-27 11:00:15 +00:00
422e8aeb3f sanebox: support existingDir{,OrParent} autodetect option 2024-08-26 14:06:49 +00:00
c86d893a2c modules/programs: sandbox: allow method = "bunpen" 2024-08-23 16:00:31 +00:00
effec38a99 modules/programs: sandbox: introduce an interface which will allow for sandboxers other than sanebox 2024-08-23 16:00:31 +00:00
b4b95be588 make-sandboxed: fix to preserve the specified output, for packages like dig 2024-08-21 04:00:45 +00:00
ae0d6cb8e8 make-sandboxed: preserve outputs of multiple-output packages
especially, this fixes the dconf service, since we keep '/libexec'
2024-08-21 03:28:02 +00:00
ca793af819 make-sandboxed: fix double-wrapping when two symlinks point to the same binary by non-canonical paths (e.g. mount.sshfs -> ../bin/sshfs) 2024-08-16 10:50:20 +00:00
a552ed625b make-sandboxed: fix several edge-cases for e.g. brave, firefox, especially around handling of wrapped binaries 2024-08-16 02:15:46 +00:00
fd6959230f make-sandboxed: handle /opt-style packaging, with toplevels linked into /bin, a bit better 2024-08-15 10:32:18 +00:00
87e9856497 sanebox: forward argv0 2024-08-15 10:31:21 +00:00
e7d5a61014 libcap: split into separate capsh and captree programs, and sandbox the latter 2024-08-12 10:13:50 +00:00
f8aea34e96 sanebox: bwrap: make user namespace unsharing more obvious 2024-08-07 21:23:21 +00:00
c706a19836 landlock-sandboxer: rename the binary, so that it can be included on PATH without collisions 2024-08-05 22:59:14 +00:00
8ef5920d84 unl0kr: port to an s6 service
this has some drawbacks in its current form and will be tidied

it writes the password also to the consold. it requires 'sudo'.
2024-07-25 18:45:01 +00:00