|
7b28023e08
|
modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr
|
2024-02-12 14:27:48 +00:00 |
|
|
3e0b0a0f02
|
modules/programs: make-sandboxed: lift profile creation logic out to the toplevel
|
2024-02-12 11:52:33 +00:00 |
|
|
7c05d221d6
|
modules/programs: split "make-sandbox-profile" out of "make-sandboxed"
|
2024-02-12 11:20:40 +00:00 |
|
|
bc85169e3d
|
programs: sandboxer: allow disable net access
|
2024-02-08 21:07:34 +00:00 |
|
|
2fc1fe7510
|
modules/programs: make-sandboxed: fix that /share/* was being linked into top-level /; better way to enforce sandboxing of /share entries
|
2024-02-06 19:55:55 +00:00 |
|
|
d7612d5034
|
modules/programs: make-sandboxed: avoid deep-copying all of /share when sandboxing
saves like 1 GiB of closure. but i haven't thoroughly tested this
|
2024-02-06 05:02:02 +00:00 |
|
|
413903d03c
|
make-sandboxed: also embed profiles for the withEmbeddedSandboxer passthru pkg
|
2024-02-05 08:26:40 +00:00 |
|
|
3439ca34b8
|
sane-sandboxed: add more autodetect options, and a "withEmbeddedSandboxer" package output (for dev)
|
2024-02-03 00:17:24 +00:00 |
|
|
5e3c2636db
|
programs: make-sandboxed: handle packages which use relative links in bin (like spotify)
|
2024-02-02 22:38:36 +00:00 |
|
|
881d2f79ed
|
modules/programs: add "unchecked" passthru to aid debugging
|
2024-01-29 13:36:01 +00:00 |
|
|
47abdfb831
|
modules/programs: patch dbus-1 files to use sandboxed binaries
|
2024-01-29 13:09:43 +00:00 |
|
|
3831c6f087
|
TODO: fold
|
2024-01-29 13:07:44 +00:00 |
|
|
4f8d476ebf
|
modules/programs: patch old /nix/store paths in .desktop files
|
2024-01-29 12:56:08 +00:00 |
|
|
7af970f38c
|
modules/programs: extend wrapperType="wrappedDerivation" to handle common share/ items
|
2024-01-29 11:59:38 +00:00 |
|
|
32824cfade
|
modules/programs: sandbox in a manner that's more compatible with link-heavy apps like busybox, git, etc
|
2024-01-29 09:56:30 +00:00 |
|
|
7b9795ea3d
|
modules/programs: implement embedWrapper option
|
2024-01-29 09:13:49 +00:00 |
|
|
f100595257
|
modules/programs: properly forward autodetectCliPaths to the sandboxer
|
2024-01-28 10:31:07 +00:00 |
|
|
40fee97b06
|
modules/programs: make-sandboxed: disallowReferences to the fake sane-sandboxed used during checkPhase
|
2024-01-28 08:58:13 +00:00 |
|
|
3cc8292d8b
|
modules/programs: make-sandboxed: support packages with checkPhase by bypassing the sandbox
|
2024-01-28 07:45:08 +00:00 |
|
|
9261d30a34
|
modules/programs: reformatting
|
2024-01-28 05:58:08 +00:00 |
|
|
3eb3a8db5a
|
modules/programs: add a whitelistPwd option to grant the program access to the directory it was called from
|
2024-01-28 05:57:30 +00:00 |
|
|
4d7414c941
|
programs: introduce and use "autodetectCliPaths" nix config
|
2024-01-27 17:19:48 +00:00 |
|
|
5ca208d07f
|
modules/programs: sandbox: add enable flag and capabilities structured config
|
2024-01-27 17:08:27 +00:00 |
|
|
26b978dcf2
|
modules/programs: sandbox: fix "inline" -> "inplace" typo
|
2024-01-27 14:42:25 +00:00 |
|
|
d8b6d419b6
|
modules/programs: sandboxing: add wrapperType = "wrappedDerivation" to wrap without rebuilding the whole package
|
2024-01-27 14:26:41 +00:00 |
|
|
a6b824d3c4
|
modules/programs/sandbox: add an "embedProfile" option to source sandbox settings from the package instead of the system
|
2024-01-27 12:23:25 +00:00 |
|
|
f148334b58
|
programs: port extraFirejailConfig to extraConfig
|
2024-01-23 14:57:33 +00:00 |
|
|
27b56b1a12
|
programs: sane-sandbox: implement a cleaner debugshell and test API
|
2024-01-23 11:19:52 +00:00 |
|
|
6e9220d2bb
|
programs: allow programs to specify "sandbox.method = "bwrap"" for bubblewrap sandboxing
|
2024-01-23 10:44:13 +00:00 |
|
|
0ddcfcaa23
|
sane-sandboxed: retrieve profiles from /share/sane-sandboxed/profiles so they can be customized without mass rebuilds
|
2024-01-23 08:01:23 +00:00 |
|
|
a4cb6645b4
|
programs: indirect firejail access through sane-sandboxed
|
2024-01-23 04:02:31 +00:00 |
|
|
f49d2a1e0e
|
programs: split "makeSandboxed" into its own file
|
2024-01-23 01:23:14 +00:00 |
|