diff --git a/dotfiles/project_jail.py b/dotfiles/project_jail.py index 5dd19bc..5d7cd9f 100755 --- a/dotfiles/project_jail.py +++ b/dotfiles/project_jail.py @@ -6,17 +6,22 @@ import json import os +import subprocess import shutil import sys from pathlib import Path +import os CONFIG_PATH = Path.home() / ".config" / "jails.json" MARKER_ENV = "IN_PROJECT_JAIL" +ANTIJACK_SYSCALL_FILTER = Path.home() / ".config" / "jail-antijack" +# this is not great because it shares the caches, but oh well PROFILES = { "rust": [ ("rw", "~/.cargo/bin"), ("rw", "~/.cargo/git"), + ("rw", "~/.cargo/registry"), ("ro", "~/.gitconfig"), ("ro", "~/.rustup") ], @@ -25,7 +30,10 @@ PROFILES = { ("rw", "~/.cache/node-gyp"), ("ro", "~/.gitconfig") ], - "python": [] + "python": [], + "gpu": [ # TODO: this is very broad + ("rw", "/sys") + ] } def load_config() -> dict[str, dict]: @@ -57,7 +65,7 @@ def find_matching_entry(cwd: Path, config: dict[str, dict]) -> dict | None: def ensure_dir(path: Path) -> None: path.mkdir(parents=True, exist_ok=True) -def build_bwrap_command(entry: dict, cwd: Path) -> list[str]: +def build_bwrap_command(entry: dict, cwd: Path, fd: int) -> list[str]: bwrap = shutil.which("bwrap") if not bwrap: print("project-jail: bwrap not found in PATH", file=sys.stderr) @@ -104,19 +112,20 @@ def build_bwrap_command(entry: dict, cwd: Path) -> list[str]: "--setenv", MARKER_ENV, "1", "--setenv", "PROJECT_ROOT", str(project_root), "--chdir", str(cwd), + "--seccomp", str(fd) ] rw_binds = [] - profile = PROFILES[entry["profile"]] - for type, path in profile: - path = str(resolve_path(path)) - if type == "rw": - rw_binds.append(path) - elif type == "ro": - ro_binds.append(path) - else: - assert False + for profile in entry["profile"]: + for type, path in PROFILES[profile]: + path = str(resolve_path(path)) + if type == "rw": + rw_binds.append(path) + elif type == "ro": + ro_binds.append(path) + else: + assert False for path in ro_binds: if Path(path).exists(): @@ -130,6 +139,7 @@ def build_bwrap_command(entry: dict, cwd: Path) -> list[str]: if Path(path).exists(): cmd += ["--dev-bind", path, path] + # TODO: maybe don't pass all this through runtime_dir = os.environ.get("XDG_RUNTIME_DIR") if runtime_dir and Path(runtime_dir).exists(): cmd += ["--bind", runtime_dir, runtime_dir] @@ -151,11 +161,14 @@ def build_bwrap_command(entry: dict, cwd: Path) -> list[str]: shell, "-i", ] - print(cmd) + #print(cmd) print(f"-> sandbox profile {entry['profile']} for {entry['name']}") return cmd def main() -> int: + if not ANTIJACK_SYSCALL_FILTER.exists(): + subprocess.run(["antijack", "-o", ANTIJACK_SYSCALL_FILTER]).check_returncode() + if os.environ.get(MARKER_ENV) == "1": return 0 @@ -165,7 +178,12 @@ def main() -> int: if not entry: return 2 - cmd = build_bwrap_command(entry, cwd) + # TODO: seccomp filter is not invulnerable and this would ideally be pty-based + f = open(ANTIJACK_SYSCALL_FILTER, "rb") + fd = f.fileno() + os.set_inheritable(fd, True) + + cmd = build_bwrap_command(entry, cwd, fd) os.execvp(cmd[0], cmd) return 1 diff --git a/dotfiles/sway_config b/dotfiles/sway_config index ff15fda..a99ccdd 100644 --- a/dotfiles/sway_config +++ b/dotfiles/sway_config @@ -225,4 +225,8 @@ mode "resize" { set $gnome-schema org.gnome.desktop.interface exec_always gsettings set $gnome-schema gtk-icon-theme-name 'Papirus-Light' +client.focused #5050aa #5050aa #ffffff +client.focused_inactive #444460 #444460 #ffffff +client.unfocused #101010 #101010 #909090 + include /etc/sway/config.d/* diff --git a/dotfiles/waybar_config b/dotfiles/waybar_config index 48b3da9..f40df25 100644 --- a/dotfiles/waybar_config +++ b/dotfiles/waybar_config @@ -121,8 +121,8 @@ "network": { // "interface": "wlp2*", // (Optional) To force the use of this interface "format-wifi": "{essid} ({signalStrength}%) ", - "format-ethernet": "↑ {bandwidthUpBytes} ↓ {bandwidthDownBytes} ", - "format-linked": "{ifname} (No IP) ", + "format-ethernet": "↑ {bandwidthUpBytes} ↓ {bandwidthDownBytes}", + "format-linked": "{ifname} (No IP)", "format-disconnected": "Disconnected ⚠", "format-alt": "{ifname}: {ipaddr}/{cidr}", "tooltip-format": "{ifname}: {ipaddr}/{cidr}" diff --git a/dotfiles/waybar_style.css b/dotfiles/waybar_style.css index d4c43a7..513c180 100644 --- a/dotfiles/waybar_style.css +++ b/dotfiles/waybar_style.css @@ -2,7 +2,7 @@ border: none; border-radius: 0; /* `otf-font-awesome` is required to be installed for icons */ - font-family: 'Iosevka', 'Font Awesome 6 Free'; + font-family: 'Font Awesome 6 Free', 'Iosevka', 'Font Awesome 6 Free'; /*font-family: 'Iosevka';*/ font-size: 16px; min-height: 0; @@ -84,6 +84,9 @@ window#waybar.chromium { margin: 0 4px; color: #ffffff; } +#idle_inhibitor { + padding: 0 12px 0 12px; +} #window, #workspaces { @@ -101,7 +104,8 @@ window#waybar.chromium { } #clock { - background-color: #64727D; + background-color: #ffffff; + color: #000000; } #battery { @@ -136,12 +140,13 @@ label:focus { } #cpu { - background-color: #2ecc71; + background-color: #ffffff; color: #000000; } #memory { - background-color: #9b59b6; + background-color: #ffffff; + color: #000000; } #disk { @@ -153,7 +158,8 @@ label:focus { } #network { - background-color: #2980b9; + background-color: #ffffff; + color: #000000; } #network.disconnected { @@ -161,7 +167,7 @@ label:focus { } #pulseaudio { - background-color: #f1c40f; + background-color: #ffffff; color: #000000; } @@ -193,7 +199,7 @@ label:focus { } #tray { - background-color: #2980b9; + background-color: #ffffff; } #tray > .passive { @@ -210,7 +216,7 @@ label:focus { } #idle_inhibitor.activated { - background-color: #ecf0f1; + background-color: #ffffff; color: #2d3436; }