colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
5,810 Commits 125 Branches 1 Tag 12 MiB
eff37765ae
Commit Graph

148 Commits

Author SHA1 Message Date
Colin
febedb9323 nits: update --replace uses to --replace-{fail,quiet} as appropriate 2024-03-24 12:49:18 +00:00
Colin
03fbb780b2 sane.programs: sandbox: refactor extraRuntimePaths computation 2024-03-24 12:03:38 +00:00
Colin
9c0b175260 swaync: allow toggling of s6 services 2024-03-24 11:54:12 +00:00
Colin
6102a0301d sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox 2024-03-23 16:37:22 +00:00
Colin
5205251f6f programs: xwayland: sandbox it without exposing net access 2024-03-23 15:33:23 +00:00
Colin
8c48adefa5 pipewire: move sockets into a subdirectory for easier sandboxing 2024-03-23 13:34:13 +00:00
Colin
70b5c57b50 modules/programs: enforce (or rather document) a stricter schema 
this should make it easier to switch to a different service manager
 2024-03-21 17:16:01 +00:00
Colin
b25df1d997 sane-sandboxed: fix capabilities example 2024-03-14 01:36:46 +00:00
Colin
4510352c07 sane-sandboxed: implement --sane-sandbox-no-portal flag 2024-03-13 04:49:48 +00:00
Colin
430592632c sane-sandboxed: add a help message 2024-03-13 04:49:48 +00:00
Colin
56aca78d84 make-sandboxed: also sandbox the .lib output of a package 2024-03-13 04:49:48 +00:00
Colin
8029744c90 modules/programs: don't expose *all* of /run/secrets/home to every program 
this was actually causing a lot of bwrap errors because that directory's not user-readable

turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following
 2024-03-02 18:51:39 +00:00
Colin
a45e42910d make-sandboxed: generalize runCommand patch to handle any derivation, called with or without callPackage 2024-03-02 07:11:45 +00:00
Colin
db89ac88f0 sane-sandboxed: add new --sane-sandbox-keep-namespace all option 2024-03-01 20:48:56 +00:00
Colin
40e30cf2f8 programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that 2024-02-28 17:39:00 +00:00
Colin
812c0c8029 packages: reduce the number of packages which are using inplace sandbox wrapping 2024-02-28 17:35:40 +00:00
Colin
a4248fd5cc make-sandboxed: don't try to wrap directories 
whoops. test -x is true for directories
 2024-02-28 16:28:25 +00:00
Colin
b302113fc0 modules/programs: require manual definition; don't auto-populate attrset 
this greatly decreases nix eval time
 2024-02-28 13:35:09 +00:00
Colin
6ef729bbaf assorted: prefer runCommandLocal over runCommand where it makes sense 2024-02-27 22:26:56 +00:00
Colin
8f424dcd5a programs: sandboxing: link /etc into sandboxed programs 
this is crucial for e.g. swaync, to find its resource files.
maybe a good idea to link *every* package directory which i also link
into /run/current-system.
 2024-02-27 22:25:17 +00:00
Colin
d2df668c9e modules/programs: sane-sandboxed: replace --sane-sandbox-keep-pidspace with --sane-sandbox-keep-namespace <pid|cgroup|ipc|uts> 2024-02-25 12:00:00 +00:00
Colin
f807d7c0a2 modules/programs: sane-sandboxed: bwrap: don't virtualize {/dev,/proc,/tmp} if explicitly asked to bind them instead 
this is necessary for some programs which want a near-maximial sandbox, like
launchers or shells, or more specifically, `sane-private-do`.
 2024-02-25 08:15:39 +00:00
Colin
73b2594d9b programs: sandboxing: distinguish between "existingFileOrParent" and "existingOrParent" 2024-02-25 01:59:01 +00:00
Colin
a55dc5332d modules/programs: sane-sandboxed: introduce "existingOrParent" autodetect-cli option 
some programs will want this, to create directories by name; e.g. archive managers
 2024-02-25 01:48:10 +00:00
Colin
86108518da modules/programs: sane-sandboxed: add a new "existingFile" option for the cli autodetect 2024-02-25 01:43:39 +00:00
Colin
0448df51e3 modules/programs: sane-sandboxed: add a --sane-sandbox-dry-run flag 2024-02-24 12:00:58 +00:00
Colin
8e3eed7d51 modules/programs: sane-sandboxed: factor out the actual execution of the sandbox/program into the toplevel 
this will make it easier to intercept
 2024-02-24 11:57:42 +00:00
Colin
88a70b41f1 modules/programs: handle more symlink forms when calculating a program's sandbox closure 2024-02-24 11:47:39 +00:00
Colin
6f59254a22 modules/programs: fix symlink following 2024-02-24 05:36:44 +00:00
Colin
170eeeacc4 programs: dereference not just the leaf, but any part of the path, when determining a program's sandbox closure 2024-02-23 07:06:29 +00:00
Colin
2a528a5d8e sane-sandboxed: leave a note about future mount work 2024-02-21 16:08:42 +00:00
Colin
34dedcff57 modules/programs: sane-sandboxed: fix normPath handling of paths containing special characters like [ 2024-02-19 15:32:23 +00:00
Colin
95cb5624ca modules/programs: sane-sandboxed: fix but that --sane-sandbox-path / wasnt being canonicalized 2024-02-18 13:53:53 +00:00
Colin
600f6eb56c modules/programs: sane-sandboxed: remove all remaining forks/subshells 
launchtime for firefox in bwrap is about 65ms; 35ms for --sane-sandbox-method none
 2024-02-18 13:15:04 +00:00
Colin
fd6f8493a7 modules/programs: sane-sandboxed: remove all forking from normPath 
reduces time for librewolf benchmark from 90ms -> 65ms. there's still _some_ forking in this script, but it's constant now.
 2024-02-18 12:25:03 +00:00
Colin
f10f1ee7b1 modules/programs: sane-sandboxed: optimize "normPath" to not invoke subshells 
each subshell causes like 5ms just on my laptop, which really adds up.
this implementation still forks internally, but doesn't exec.
runtime decreases from 150ms -> 90ms for
`time librewolf --sane-sandbox-replace-cli true`
 2024-02-18 12:08:23 +00:00
Colin
cef2591425 modules/programs: sane-sandboxed: capshonly/landlock: don't request capabilities we know won't be granted 2024-02-17 16:30:18 +00:00
Colin
4ced02b0b2 modules/programs: make-sandboxed: fix incorrect "priority" attribute 2024-02-17 03:32:49 +00:00
Colin
029ba43bd6 modules/programs: sane-sandboxed: invoke "capsh" with the --no-new-privs argument 2024-02-16 05:48:50 +00:00
Colin
8c9c6ec979 modules/programs: make-sandboxed: support /libexec binaries 2024-02-16 03:15:45 +00:00
Colin
1edb1fc8b6 modules/programs: sane-sandboxed: avoid adding the sandbox implementation to $PATH 2024-02-15 17:58:22 +00:00
Colin
8d20dcadd1 modules/programs: sane-sandboxed: add --sane-sandbox-keep-pidspace flag 2024-02-15 15:05:28 +00:00
Colin
c943442c94 modules/programs: sane-sandboxed: add --sane-sandbox-method none for benchmarking 2024-02-15 13:13:39 +00:00
Colin
02dd629616 modules/programs: sane-sandboxed: rework so portal env vars arent set when sandbox is disabled 
and by setting them only at launch time we aid introspectability/debugging
 2024-02-15 11:57:36 +00:00
Colin
5f1036118f modules/programs: sandboxing: add a "whitelistX" option 2024-02-15 00:09:16 +00:00
Colin
22ca253ae0 modules/programs: better document the env option 2024-02-14 11:08:43 +00:00
Colin
8b32f2f231 modules/programs: add support for 'autodetectCliPaths = parent' 2024-02-14 04:31:59 +00:00
Colin
080bd856ec programs: sandboxing: only permit wayland socket access to those specific apps which require it 2024-02-14 01:49:49 +00:00
Colin
548a95a7e1 modules/programs: sandboxing: unshare ipc/cgroup/uts by default 2024-02-14 01:48:59 +00:00
Colin
34b148f6cc modules/programs: allow specifying perlPackages members as programs, as i do with python3Packages, etc 2024-02-13 12:31:04 +00:00