programs: sandboxing: link /etc into sandboxed programs

this is crucial for e.g. swaync, to find its resource files. maybe a good idea to link *every* package directory which i also link into /run/current-system.
2024-02-27 22:25:17 +00:00 · 2024-02-27 22:25:17 +00:00 · 8f424dcd5a
commit 8f424dcd5a
parent 7fb7f72bc0
3 changed files with 13 additions and 8 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -213,7 +213,7 @@ in
    blanket.sandbox.whitelistWayland = true;

    blueberry.sandbox.method = "bwrap";
-    blueberry.sandbox.wrapperType = "wrappedDerivation";
+    blueberry.sandbox.wrapperType = "inplace";  # /etc/xdg/autostart hardcodes paths
    blueberry.sandbox.whitelistWayland = true;
    blueberry.sandbox.extraPaths = [
      "/dev/rfkill"
@ -448,7 +448,7 @@ in

    # gnome-disks
    "gnome.gnome-disk-utility".sandbox.method = "bwrap";
-    "gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation";
+    "gnome.gnome-disk-utility".sandbox.wrapperType = "inplace";  # /etc/xdg/autostart
    "gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
    "gnome.gnome-disk-utility".sandbox.whitelistWayland = true;

@ -820,7 +820,7 @@ in

    # use like `sudo smartctl /dev/sda -a`
    smartmontools.sandbox.method = "landlock";
-    smartmontools.sandbox.wrapperType = "wrappedDerivation";
+    smartmontools.sandbox.wrapperType = "inplace";  # ships a script in /etc that calls into its bin
    smartmontools.sandbox.autodetectCliPaths = "existing";
    smartmontools.sandbox.capabilities = [ "sys_rawio" ];

--- a/hosts/common/programs/imagemagick.nix
+++ b/hosts/common/programs/imagemagick.nix
@ -2,7 +2,7 @@
 {
  sane.programs.imagemagick = {
    sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.wrapperType = "inplace";  # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
    sandbox.whitelistPwd = true;
    sandbox.autodetectCliPaths = "existingOrParent";  #< arg formatting is complicated enough that this won't always work.
    packageUnwrapped = pkgs.imagemagick.override {
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@ -218,10 +218,15 @@ let
    sandboxedWithoutFixedRefs = (runCommand "${pkgName}-sandboxed-non-binary" {} ''
      set -e
      mkdir "$out"
-      if [ -e "${unsandboxed}/share" ]; then
-        mkdir "$out/share"
-        ${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/share" "$out/share"
-      fi
+      # link in a limited subset of the directories.
+      # lib/ is the primary one to avoid, because of shared objects that would be unsandboxed if dlopen'd.
+      # all other directories are safe-ish, because they won't end up on PATH or LDPATH.
+      for dir in etc share; do
+        if [ -e "${unsandboxed}/$dir" ]; then
+          mkdir "$out/$dir"
+          ${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/$dir" "$out/$dir"
+        fi
+      done
      runHook postInstall
    '').overrideAttrs (_: {
      # specifically for meta.priority, though it shouldn't actually matter here.