| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Both org.mozilla.thunderbird and io.mpv.Mpv are already installed via
flatpak, but several places still launched the system binaries (because
they were in PATH). Worse, `mpv` was kept on the host *only* for the
streamlink-launches-mpv path, and `thunderbird` was being pulled in as
a hard dep of external-editor-revived even though it was never the
mailer actually used. Untangle both.
Thunderbird
-----------
* dot_config/sway/executable_tb-toggle.sh,
dot_config/sway/executable_tb-autostart.sh:
swap `thunderbird` → `flatpak run org.mozilla.thunderbird`. The
`app_id` matcher in sway config already targets the flatpak id, so
the scratchpad-stash and Super+t toggle keep working unchanged.
* etc/pacman.conf:
add `AssumeInstalled = thunderbird=999.0-1`. external-editor-revived
(AUR) hard-depends on `thunderbird`; this satisfies the dep without
installing the package. Run `sudo pacman -Rns thunderbird` after
deploy to remove the now-unneeded system binary.
* meta/base.txt: document the AssumeInstalled trick next to the
external-editor-revived entry.
mpv
---
* dot_config/streamlink/config: `player=mpv` → `player=flatpak run
io.mpv.Mpv`. The flatpak already pulls in our ~/.config/mpv via the
read-only filesystem override (see
run_onchange_after_deploy-flatpak-overrides.sh.tmpl), so behavior is
unchanged.
* dot_local/bin/executable_linkhandler: same swap for inline video URLs.
* dot_local/bin/executable_mpv: deleted. The wrapper only existed to
bwrap /usr/bin/mpv into _sandbox-net-parser; flatpak's own sandbox
supersedes that.
* dot_local/bin/executable__sandbox-net-parser,
dot_local/bin/executable_streamlink: comment refresh — mpv is no
longer one of the tools this wraps, and the streamlink wrapper now
forwards to the flatpak player rather than nested-bwrap caveats.
* meta/base.txt: drop `mpv` from the host package list and update the
surrounding comment.
README.md: refresh the media row of the stack table to match.
On-host steps:
chezmoi apply -v
sudo pacman -Syu # picks up AssumeInstalled
sudo pacman -Rns thunderbird mpv # safe now
flatpak install -y flathub org.mozilla.thunderbird io.mpv.Mpv
swaymsg reload # pick up new tb scripts
|
|
|
These three tools are the native (non-flatpak) network parsers in the
install set — every other internet-facing app is already flatpak'd. The
threat model is a RCE in a subtitle/extractor/muxer that walks $HOME
looking for SSH keys, GPG keyring, pass store, cloud tokens, etc.
Approach (defence in depth, not full sandboxing):
- bwrap --bind / / keeps Wayland, PipeWire, DBus, GPU, hwaccel and all
config files working transparently.
- --tmpfs over known-sensitive dirs (.ssh, .gnupg, .password-store,
.config/gh, .config/op, .aws, .local/share/keyrings) blanks them
from the sandbox view; a compromised parser literally cannot see them.
- inner PATH stripped of ~/.local/bin so streamlink's spawn of `mpv`
resolves to /usr/bin/mpv and does not re-enter the sandbox.
- --die-with-parent + --new-session for tidy lifecycle.
- Escape hatch: SANDBOX=0 mpv ... bypasses for one invocation.
- Graceful degradation if bwrap is missing (warns and execs anyway).
bubblewrap added explicitly to meta/base.txt (was implicit via flatpak).
Wrappers in ~/.local/bin shadow /usr/bin via dot_zprofile:15 PATH order.
Not symlinked into the Ubuntu VM (nix/vm.nix does not touch ~/.local/bin),
which is fine: those tools on the headless VM don't need sandboxing.
|
sommerfeld