2336767059
port service manager to s6
...
still a lot of cleanup to do (e.g. support dbus service types), but it boots to a usable desktop
2024-03-21 17:16:11 +00:00
05b37669e3
s6-rc: fix service run
file to have expected format
2024-03-21 17:16:11 +00:00
ea9768c6ab
modules/users: prototype s6 integration: ~/.config/s6/{sources,compiled}
2024-03-21 17:16:11 +00:00
38353dbc29
modules/users: remove unused requiredBy
service option
2024-03-21 17:16:11 +00:00
ef4a8e1989
modules: users: split services -> fs mapping into own systemd.nix
file
2024-03-21 17:16:11 +00:00
acc9a9cb48
modules/users: make it a directory
2024-03-21 17:16:11 +00:00
70b5c57b50
modules/programs: enforce (or rather document) a stricter schema
...
this should make it easier to switch to a different service manager
2024-03-21 17:16:01 +00:00
c28ac38652
modules/users: refactor to remove inherit
s
2024-03-21 17:16:01 +00:00
3c43fba878
feeds: add NativLang per Ben's rec
2024-03-14 07:53:19 +00:00
b25df1d997
sane-sandboxed: fix capabilities example
2024-03-14 01:36:46 +00:00
288d57e5d5
feeds: subscribe to pmOS blog
2024-03-13 23:20:45 +00:00
4510352c07
sane-sandboxed: implement --sane-sandbox-no-portal flag
2024-03-13 04:49:48 +00:00
430592632c
sane-sandboxed: add a help message
2024-03-13 04:49:48 +00:00
56aca78d84
make-sandboxed: also sandbox the .lib
output of a package
2024-03-13 04:49:48 +00:00
30d49dc3c3
feeds: update Anish's URL
2024-03-09 20:51:15 +00:00
8e0031e770
feeds: update Byrne Hobart's feed URL
2024-03-09 20:49:01 +00:00
c453dbac8e
lwn.net: update feed URL
2024-03-09 20:42:03 +00:00
90e3c33536
feeds: subscribe to slatecave.net
2024-03-06 22:40:57 +00:00
8029744c90
modules/programs: don't expose *all* of /run/secrets/home to every program
...
this was actually causing a lot of bwrap errors because that directory's not user-readable
turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following
2024-03-02 18:51:39 +00:00
a45e42910d
make-sandboxed: generalize runCommand patch to handle any derivation, called with or without callPackage
2024-03-02 07:11:45 +00:00
db89ac88f0
sane-sandboxed: add new --sane-sandbox-keep-namespace all
option
2024-03-01 20:48:56 +00:00
40e30cf2f8
programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that
2024-02-28 17:39:00 +00:00
812c0c8029
packages: reduce the number of packages which are using inplace sandbox wrapping
2024-02-28 17:35:40 +00:00
a4248fd5cc
make-sandboxed: don't try to wrap directories
...
whoops. test -x is true for directories
2024-02-28 16:28:25 +00:00
c380f61bea
fix "rescue" host to eval again
2024-02-28 14:19:45 +00:00
b302113fc0
modules/programs: require manual definition; don't auto-populate attrset
...
this greatly decreases nix eval time
2024-02-28 13:35:09 +00:00
6ef729bbaf
assorted: prefer runCommandLocal over runCommand where it makes sense
2024-02-27 22:26:56 +00:00
8f424dcd5a
programs: sandboxing: link /etc into sandboxed programs
...
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
2024-02-27 22:25:17 +00:00
d5643a6a5d
assorted static-nix-shell packages: use srcRoot
2024-02-25 17:37:38 +00:00
d2df668c9e
modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts>
2024-02-25 12:00:00 +00:00
f807d7c0a2
modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead
...
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
2024-02-25 08:15:39 +00:00
6ab5dd8a8f
modules/persist: ensure that the mountpoint for the private store is created at boot
2024-02-25 07:51:24 +00:00
52b8cd0209
modules/persist: ensure backing directory is created *before* we mount
2024-02-25 07:22:50 +00:00
00bf2f79cc
ssh: clean up /etc/ssh/host_keys persistence
2024-02-25 05:19:44 +00:00
73b2594d9b
programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent"
2024-02-25 01:59:01 +00:00
a55dc5332d
modules/programs: sane-sandboxed: introduce "existingOrParent" autodetect-cli option
...
some programs will want this, to create directories by name; e.g. archive managers
2024-02-25 01:48:10 +00:00
86108518da
modules/programs: sane-sandboxed: add a new "existingFile" option for the cli autodetect
2024-02-25 01:43:39 +00:00
879d01ac2e
modules/ssh: note that theres a better store to place the ssh host_keys in
2024-02-24 12:14:14 +00:00
0448df51e3
modules/programs: sane-sandboxed: add a --sane-sandbox-dry-run flag
2024-02-24 12:00:58 +00:00
8e3eed7d51
modules/programs: sane-sandboxed: factor out the actual execution of the sandbox/program into the toplevel
...
this will make it easier to intercept
2024-02-24 11:57:42 +00:00
88a70b41f1
modules/programs: handle more symlink forms when calculating a program's sandbox closure
2024-02-24 11:47:39 +00:00
6f59254a22
modules/programs: fix symlink following
2024-02-24 05:36:44 +00:00
4023960dc0
README: MANUAL MIGRATION: move "plaintext" store to /nix/persist/plaintext
...
to migrate the data:
```sh
$ sudo mkdir /nix/persist/plaintext
$ sudo mv /nix/persist/{etc,home,var} /nix/persist/plaintext
$ sudo ln -s plaintext/etc /nix/persist/etc #< temporarily; if deploying over ssh
$ switch
$ reboot
$ sudo rm /nix/persist/etc #< if you did the symlink earlier
```
2024-02-23 18:02:17 +00:00
fff9f9d49a
README: MANUAL MIGRATION: move "private" store to /nix/persist/private
...
to migrate the data, first unmount `~/private` (`sane-private-lock`), then:
```sh
$ sudo mv /nix/persist/home/colin/private /nix/persist
$ switch
$ reboot
```
2024-02-23 16:01:09 +00:00
d7402ae170
persist: stores: make naming more consistent
2024-02-23 14:57:20 +00:00
6267e7f966
tidy up small persist/private nitpicks
2024-02-23 14:44:38 +00:00
120a41b169
persistence: split /var/log persistence into dedicated "initrd" store
2024-02-23 14:42:47 +00:00
aa0991bd6c
persistence: cleanup so it all works well with symlink-based stores
2024-02-23 13:09:44 +00:00
af2f97d61e
fs: ensure-file: don't error if the file already exists
2024-02-23 11:29:14 +00:00
5b8f13d9cc
fs: notice when a fs entry is set to two incompatible types (e.g. symlink + dir) and error
2024-02-23 11:24:32 +00:00
c2696c1cd9
gnome-keyring: use sane.fs abstractions to write out the keyrings
2024-02-23 08:57:41 +00:00
057b9e3fed
replace links/references to ~/private/FOO with just ~/FOO
2024-02-23 07:06:29 +00:00
170eeeacc4
programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure
2024-02-23 07:06:29 +00:00
a402822084
move "private" store to /mnt/persist/private instead of ~/private
...
this will allow me to add all of ~ to a sandbox without giving all of ~/private
2024-02-23 07:06:29 +00:00
80ecdcc4f9
persist: plaintext: consider "/mnt/persist/plaintext" as the logical root, and abstract away "/nix/persist"
2024-02-23 07:06:29 +00:00
0864790bb7
docs: modules/persist: document the "origin" store parameter
2024-02-23 07:06:29 +00:00
478747a96e
modules/persist: change default mounting method to symlink
...
this changes the plaintext and cryptClearOnBoot stores: private was already symlink-based.
this isn't strictly necessary: the rationale is:
1. `mount` syscall *requires* CAP_SYS_ADMIN (i.e. superuser/suid).
that's causing problems with sandboxing, particularly ~/private.
that doesn't affect other stores *yet*, but it may in the future.
2. visibility. i.e. it makes *clear* where anything is persisted.
if `realpath` doesn't evaluate to `/nix/persist`, then it's not
persisted.
2024-02-23 07:06:29 +00:00
2a528a5d8e
sane-sandboxed: leave a note about future mount work
2024-02-21 16:08:42 +00:00
c6470918de
types.string -> types.str
2024-02-21 00:25:44 +00:00
bb569b1668
sane-vpn: port away from systemd so that i can use it as an ordinary user (no sudo)
2024-02-20 22:21:02 +00:00
34524ea3e4
modules/vpn: fix the vpn-* systemd services
2024-02-20 20:40:46 +00:00
d7be5da483
warnings.nix: port to a proper module
2024-02-20 11:19:12 +00:00
34dedcff57
modules/programs: sane-sandboxed: fix normPath handling of paths containing special characters like [
2024-02-19 15:32:23 +00:00
95cb5624ca
modules/programs: sane-sandboxed: fix but that --sane-sandbox-path / wasnt being canonicalized
2024-02-18 13:53:53 +00:00
600f6eb56c
modules/programs: sane-sandboxed: remove all remaining forks/subshells
...
launchtime for firefox in bwrap is about 65ms; 35ms for --sane-sandbox-method none
2024-02-18 13:15:04 +00:00
fd6f8493a7
modules/programs: sane-sandboxed: remove all forking from normPath
...
reduces time for librewolf benchmark from 90ms -> 65ms. there's still _some_ forking in this script, but it's constant now.
2024-02-18 12:25:03 +00:00
f10f1ee7b1
modules/programs: sane-sandboxed: optimize "normPath" to not invoke subshells
...
each subshell causes like 5ms just on my laptop, which really adds up.
this implementation still forks internally, but doesn't exec.
runtime decreases from 150ms -> 90ms for
`time librewolf --sane-sandbox-replace-cli true`
2024-02-18 12:08:23 +00:00
cef2591425
modules/programs: sane-sandboxed: capshonly/landlock: don't request capabilities we know won't be granted
2024-02-17 16:30:18 +00:00
4ced02b0b2
modules/programs: make-sandboxed: fix incorrect "priority" attribute
2024-02-17 03:32:49 +00:00
029ba43bd6
modules/programs: sane-sandboxed: invoke "capsh" with the --no-new-privs argument
2024-02-16 05:48:50 +00:00
8c9c6ec979
modules/programs: make-sandboxed: support /libexec binaries
2024-02-16 03:15:45 +00:00
1edb1fc8b6
modules/programs: sane-sandboxed: avoid adding the sandbox implementation to $PATH
2024-02-15 17:58:22 +00:00
8d20dcadd1
modules/programs: sane-sandboxed: add --sane-sandbox-keep-pidspace flag
2024-02-15 15:05:28 +00:00
c943442c94
modules/programs: sane-sandboxed: add --sane-sandbox-method none for benchmarking
2024-02-15 13:13:39 +00:00
02dd629616
modules/programs: sane-sandboxed: rework so portal env vars arent set when sandbox is disabled
...
and by setting them only at launch time we aid introspectability/debugging
2024-02-15 11:57:36 +00:00
5f1036118f
modules/programs: sandboxing: add a "whitelistX" option
2024-02-15 00:09:16 +00:00
22ca253ae0
modules/programs: better document the env
option
2024-02-14 11:08:43 +00:00
8b32f2f231
modules/programs: add support for 'autodetectCliPaths = parent'
2024-02-14 04:31:59 +00:00
080bd856ec
programs: sandboxing: only permit wayland socket access to those specific apps which require it
2024-02-14 01:49:49 +00:00
548a95a7e1
modules/programs: sandboxing: unshare ipc/cgroup/uts by default
2024-02-14 01:48:59 +00:00
34b148f6cc
modules/programs: allow specifying perlPackages members as programs, as i do with python3Packages, etc
2024-02-13 12:31:04 +00:00
1a18ed533b
programs: don't include dbus in the sandbox by default
2024-02-13 11:58:33 +00:00
6eaaeeb91a
programs: remove audio from the sandbox by default
2024-02-13 11:14:38 +00:00
bb68506839
modules/programs: add separate "user" v.s. "system" options for whitelistDbus
2024-02-13 10:55:10 +00:00
126f3e4922
programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default
2024-02-13 10:28:30 +00:00
73afceb8c6
modules/programs: sandbox: add whitelistWayland
option
2024-02-13 10:24:35 +00:00
27fd81ad80
modules/programs: add new options for whitelisting audio/dbus
2024-02-12 15:23:35 +00:00
d82b4b0f62
modules/programs: sane-sandboxed: reorder the --sane-sandbox-profile-dir arg so it takes precedence
2024-02-12 14:56:48 +00:00
7b28023e08
modules/programs: re-introduce the "withEmbeddedSandboxer" passthru attr
2024-02-12 14:27:48 +00:00
2b9db897a1
implement sane.defaultUser
attr
2024-02-12 14:27:32 +00:00
6124cb9b36
modules/programs: sane-sandboxed: search for profiles in XDG_DATA_DIRS, not NIX_PROFILES
2024-02-12 13:16:48 +00:00
b0394d877d
modules/programs: rename allowedRootPaths -> allowedPaths
...
now that allowedHomePaths doesn't exist
2024-02-12 13:00:10 +00:00
14d8230821
modules/programs: sane-sandboxed: remove --sane-sandbox-home-path argument and plumbing
...
no longer needed, and mixing this with root paths is liable to cause troubles at this point, around symlink dereferencing/canonicalization/etc
2024-02-12 12:57:54 +00:00
a90b5b53db
modules/programs: sandboxing: dereference symlinks and also include those in the sandbox
2024-02-12 12:48:02 +00:00
eee3e138ff
modules/programs: sandboxing: allow specifying individual /run/user/$uid paths to expose to the sandbox
2024-02-12 12:18:59 +00:00
f61cd17e99
modules/programs: sandboxing: specialize profiles per-user by expanding $HOME
2024-02-12 12:08:58 +00:00
3e0b0a0f02
modules/programs: make-sandboxed: lift profile creation logic out to the toplevel
2024-02-12 11:52:33 +00:00
2ee34e9af3
modules/profiles: remove sandbox.embedProfile option
...
with upcoming refactors, this setting would force a different package to be installed per user, which doesn't mesh with the existing sane.programs infra
2024-02-12 11:35:59 +00:00
7c05d221d6
modules/programs: split "make-sandbox-profile" out of "make-sandboxed"
2024-02-12 11:20:40 +00:00
93012664e5
modules/programs: simplify how sandbox profiles make it into system packages
2024-02-12 10:52:44 +00:00