colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
8,048 Commits 141 Branches 1 Tag
fc865574bf92bb5d1d02ec8d45dddc2bc595b92d
Commit Graph

8048 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Colin
fc865574bf iputils: sandbox with bunpen 2024-09-07 20:26:36 +00:00
Colin
58b3411c8c iotop: sandbox with bunpen 2024-09-07 20:23:23 +00:00
Colin
e517c5cecf inetutils: sandbox with bunpen 2024-09-07 20:22:29 +00:00
Colin
c735c0e11e iftop: sandbox with bunpen 2024-09-07 20:18:26 +00:00
Colin
41d7268094 forkstat: sandbox with bunpen 2024-09-07 20:16:59 +00:00
Colin
e66c389695 efibootmgr: sandbox with bunpen 2024-09-07 20:04:58 +00:00
Colin
d43a5a4687 btrfs-progs: sandbox with bunpen 2024-09-07 20:01:46 +00:00
Colin
83efe3f552 smartmontools: sandbox with bunpen 2024-09-07 20:00:22 +00:00
Colin
5742101191 powertop: sandbox with bunpen 2024-09-07 19:59:59 +00:00
Colin
7b5508c91d g4music: sandbox with bunpen 2024-09-07 19:23:05 +00:00
Colin
0b11c0e790 sane-backup-rsync-net: remove dead SANEBOX_PREPEND flags 
i'm not actually sure how this is still working, with bunpen? but it *seems* to be
 2024-09-07 19:12:13 +00:00
Colin
aeea904e5b seatd/bunpen: remove the need for CAP_SETPCAP 2024-09-07 18:58:47 +00:00
Colin
64e302eb20 go2tv: sandbox with bunpen 2024-09-07 18:37:18 +00:00
Colin
91a9d6e0d6 fcitx5: re-enable 2024-09-07 18:35:55 +00:00
Colin
f593b8ca4a nwg-panel/torch-toggle: sandbox with bunpen 2024-09-07 18:33:08 +00:00
Colin
30060e4bb1 bunpen/seatd: remove CAP_NET_ADMIN: creating a net namespace does NOT require that, rather it was a quirk in bwrap 2024-09-07 18:32:29 +00:00
Colin
9b8bdfaf5e seatd: ACTUALLY sandbox with bunpen 2024-09-07 18:24:33 +00:00
Colin
fc72884c2e hosts/common: persist ~/.cache/mesa_shader_cache_db 2024-09-07 17:27:15 +00:00
Colin
8f47636ee0 ols: sandbox with bunpen 2024-09-07 17:26:30 +00:00
Colin
f68fbb0e0b bunpen/seatd namespacing: clarify that CAP_NET_ADMIN requirement is surprising 2024-09-07 17:14:50 +00:00
Colin
7ce82ca735 seatd: remove no-longer-necessary ambient caps 2024-09-07 17:01:05 +00:00
Colin
7ce098f2bb bunpen: --bunpen-try-user will now raise the capabilities it needs, as part of that 2024-09-07 17:00:34 +00:00
Colin
454c109ef8 seatd: sandbox with bunpen 2024-09-07 15:39:50 +00:00
Colin
4dfc0bf323 sane-open: fix keyboard toggling to be compatible with bunpen 2024-09-07 08:36:32 +00:00
Colin
2d1e7777e8 sm64ex-coop-deluxe: ship (and configure so that you dont have to drag the rom) 2024-09-07 06:21:11 +00:00
Colin
1d5f71f935 satellite: sandbox with bunpen 2024-09-07 05:44:40 +00:00
Colin
41a132dd9a geoclue-demo-agent: sandbox with bunpen 2024-09-07 04:31:53 +00:00
Colin
51350d228d where-am-i: sandbox with bunpen 2024-09-07 04:29:45 +00:00
Colin
e9a289cc87 gps-share: sandbox with bunpen 2024-09-07 04:27:20 +00:00
Colin
de47a0521d wvkbd: sandbox with bunpen 2024-09-07 02:14:20 +00:00
Colin
412e698786 bunpen: forward signals through the PID namespace 
this should enable things like wvkbd -- which depend on signals -- to function while sandboxed
 2024-09-07 01:43:34 +00:00
Colin
ed7c5ef89a bunpen: forward signals to the child 
note that pid namespaces will silently not deliver signals to PID 1 for which no handler is installed... i'll have to either install an intermediary PID 1 which forwards to the real process, or peek into /proc/PID/status to check if the signal is deliverable before/after sending it (but that's racy, and eww parsing)
 2024-09-06 23:16:10 +00:00
Colin
9814cb5ad7 bunpen: errors::ext::check: supoort errors::error 2024-09-06 23:13:21 +00:00
Colin
b6d8aa614c bunpen: fix so the integration tests are actually run during the nix build 
heh
 2024-09-06 18:29:20 +00:00
Colin
24440b059c bunpen: write tests for signal deliverability (which shows that the current behavior is incorrect) 2024-09-06 18:12:05 +00:00
Colin
53ec44b3de nixpkgs: 0-unstable-2024-09-05 -> 24.05-unstable-2024-09-06 
N.B.: the different "revs" got merged again while i wasnt looking...
 2024-09-06 17:00:05 +00:00
Colin
e9cd3069fa nixpkgs-wayland: 0-unstable-2024-09-02 -> 0-unstable-2024-09-06 2024-09-06 16:59:23 +00:00
Colin
7b4fc029b2 sops-nix: assets-unstable-2024-09-01 -> assets-unstable-2024-09-05 2024-09-06 16:59:03 +00:00
Colin
cc6e99361d uassets: 0-unstable-2024-09-05 -> 0-unstable-2024-09-06 2024-09-06 16:58:46 +00:00
Colin
ca3dc42586 rsync: sandbox with tryKeepUsers. this lets us rsync things owned by any user, not just the non-superuser invoker 2024-09-06 06:33:45 +00:00
Colin
8255e419be modules/programs: rename "keepUsers" -> "tryKeepUsers" 2024-09-06 06:32:49 +00:00
Colin
9bd5a7e4e4 bunpen: implement --bunpen-try-keep-users to try to keep the user namespace, but create a new one if keeping the existing one would require less sandboxing elsewhere 2024-09-06 06:25:27 +00:00
Colin
baf5aab4b9 sshfs-fuse: sandbox with bunpen 2024-09-06 06:04:23 +00:00
Colin
ce7474603f sway: fix config to not use Xwayland-specific settings 2024-09-06 05:41:34 +00:00
Colin
bf6053985f xwayland: sandbox with bunpen 2024-09-06 05:34:08 +00:00
Colin
c0106c9196 scripts/deploy: deploy to moby over wireguard by default, but allow this to be customized broadly 2024-09-06 05:30:59 +00:00
Colin
038e21a447 schlock: sandbox with bunpen 2024-09-06 05:27:19 +00:00
Colin
6596bad162 foliate: sandbox with bunpen 2024-09-06 05:25:20 +00:00
Colin
c46c5bb3ca komikku: sandbox with bunpen 2024-09-06 05:24:48 +00:00
Colin
8079cc47bf nwg-panel: simplify sandbox definition 2024-09-06 05:23:33 +00:00