0dff9f993f
browserpass: sandbox
2024-10-29 08:21:42 +00:00
864e75afce
sanebox: purge
2024-10-29 05:59:01 +00:00
1c57b9ce9e
programs/sandbox: include udev rules in the sandboxed program output
...
notably, this fixes feedbackd so that the PPP haptics/vibrator is writable by the user
2024-10-22 07:01:18 +00:00
034c3f987e
programs/make-sandboxed: fix for apps which ship thumbnailers (i.e. gnome papers)
2024-09-17 02:33:51 +00:00
850c975321
modules/programs: when sandboxing, use makeBinaryWrapper if supported
2024-09-06 01:17:21 +00:00
50d443ad46
make-sandboxed: fix quoting error
2024-09-03 14:10:06 +00:00
41d9eccfe8
bunpen: preserve argv0 in the wrapper
2024-09-03 01:45:48 +00:00
3deb17125d
make-sandboxed: handl polkit files when patching bin paths
2024-09-02 11:31:24 +00:00
4328a7ddf3
modules/programs: remove unused arguments
2024-09-02 10:26:42 +00:00
c86d893a2c
modules/programs: sandbox: allow method = "bunpen"
2024-08-23 16:00:31 +00:00
b4b95be588
make-sandboxed: fix to preserve the specified output, for packages like dig
2024-08-21 04:00:45 +00:00
ae0d6cb8e8
make-sandboxed: preserve outputs of multiple-output packages
...
especially, this fixes the dconf service, since we keep '/libexec'
2024-08-21 03:28:02 +00:00
ca793af819
make-sandboxed: fix double-wrapping when two symlinks point to the same binary by non-canonical paths (e.g. mount.sshfs -> ../bin/sshfs)
2024-08-16 10:50:20 +00:00
a552ed625b
make-sandboxed: fix several edge-cases for e.g. brave, firefox, especially around handling of wrapped binaries
2024-08-16 02:15:46 +00:00
fd6959230f
make-sandboxed: handle /opt-style packaging, with toplevels linked into /bin, a bit better
2024-08-15 10:32:18 +00:00
87e9856497
sanebox: forward argv0
2024-08-15 10:31:21 +00:00
132798be23
sanebox: ensure sanebox is always on the PATH of sandboxed binaries
2024-07-16 07:24:42 +00:00
5048bd8d70
sanebox: fix that pasta-sandboxed programs would fail compile-time sandboxing test
2024-07-05 20:41:28 +00:00
e82feb9f71
make-sandboxed: migrate to binary wrapper
2024-07-03 19:35:56 +00:00
4839a40205
make-sandboxed: use makeWrapper proper, rather than rolling my own
...
i can't use the _binary_ wrapper unless i use a fully-qualified path to 'sanebox' or hide it behind something like /usr/bin/env
2024-07-03 17:54:38 +00:00
45e121eb1c
make-sandboxed: preserve meta.mainProgram
2024-06-01 20:01:24 +00:00
36f4fa3018
checkSandboxed: fix so that cross-built scripts can be checked again
...
how did this work earlier? does lappy have binfmt enabled??
2024-06-01 13:24:41 +00:00
f875db916d
sandboxing: fix checkSandboxed to handle packages with multiple outputs
2024-06-01 12:12:46 +00:00
f296d8df93
make-sandboxed: fix multi-output packages and sandbox *all* their outputs
...
this mostly applies to the wrapperType = 'inplace' users
2024-05-31 23:26:16 +00:00
00d06db66a
make-sandboxed: handle more systemd service files
2024-05-29 12:54:44 +00:00
be38d56717
make-sandboxed: handle more systemd/dbus service file locations
2024-05-28 13:36:01 +00:00
17eaa7446a
sanebox: remove all profile-related features except for direct, path-based profile loading
2024-05-15 09:13:20 +00:00
adfaa7f9c1
sane-sandboxed -> sanebox
2024-05-15 01:41:40 +00:00
2eea562d1f
sandbox: remove unused "binMap" option
2024-04-15 19:56:33 +00:00
56aca78d84
make-sandboxed: also sandbox the .lib output of a package
2024-03-13 04:49:48 +00:00
a45e42910d
make-sandboxed: generalize runCommand patch to handle any derivation, called with or without callPackage
2024-03-02 07:11:45 +00:00
812c0c8029
packages: reduce the number of packages which are using inplace sandbox wrapping
2024-02-28 17:35:40 +00:00
a4248fd5cc
make-sandboxed: don't try to wrap directories
...
whoops. test -x is true for directories
2024-02-28 16:28:25 +00:00
6ef729bbaf
assorted: prefer runCommandLocal over runCommand where it makes sense
2024-02-27 22:26:56 +00:00
8f424dcd5a
programs: sandboxing: link /etc into sandboxed programs
...
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
2024-02-27 22:25:17 +00:00
4ced02b0b2
modules/programs: make-sandboxed: fix incorrect "priority" attribute
2024-02-17 03:32:49 +00:00
8c9c6ec979
modules/programs: make-sandboxed: support /libexec binaries
2024-02-16 03:15:45 +00:00
7b28023e08
modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr
2024-02-12 14:27:48 +00:00
3e0b0a0f02
modules/programs: make-sandboxed: lift profile creation logic out to the toplevel
2024-02-12 11:52:33 +00:00
7c05d221d6
modules/programs: split "make-sandbox-profile" out of "make-sandboxed"
2024-02-12 11:20:40 +00:00
bc85169e3d
programs: sandboxer: allow disable net access
2024-02-08 21:07:34 +00:00
2fc1fe7510
modules/programs: make-sandboxed: fix that /share/* was being linked into top-level /; better way to enforce sandboxing of /share entries
2024-02-06 19:55:55 +00:00
d7612d5034
modules/programs: make-sandboxed: avoid deep-copying all of /share when sandboxing
...
saves like 1 GiB of closure. but i haven't thoroughly tested this
2024-02-06 05:02:02 +00:00
413903d03c
make-sandboxed: also embed profiles for the withEmbeddedSandboxer passthru pkg
2024-02-05 08:26:40 +00:00
3439ca34b8
sane-sandboxed: add more autodetect options, and a "withEmbeddedSandboxer" package output (for dev)
2024-02-03 00:17:24 +00:00
5e3c2636db
programs: make-sandboxed: handle packages which use relative links in bin (like spotify)
2024-02-02 22:38:36 +00:00
881d2f79ed
modules/programs: add "unchecked" passthru to aid debugging
2024-01-29 13:36:01 +00:00
47abdfb831
modules/programs: patch dbus-1 files to use sandboxed binaries
2024-01-29 13:09:43 +00:00
3831c6f087
TODO: fold
2024-01-29 13:07:44 +00:00
4f8d476ebf
modules/programs: patch old /nix/store paths in .desktop files
2024-01-29 12:56:08 +00:00
