2024-05-15 09:12:54 +00:00
|
|
|
{ lib }:
|
|
|
|
{ method
|
2024-02-12 13:00:10 +00:00
|
|
|
, allowedPaths ? []
|
2024-05-15 08:14:49 +00:00
|
|
|
, allowedHomePaths ? []
|
|
|
|
, allowedRunPaths ? []
|
2024-02-12 12:05:37 +00:00
|
|
|
, autodetectCliPaths ? false
|
|
|
|
, capabilities ? []
|
|
|
|
, dns ? null
|
|
|
|
, netDev ? null
|
2024-05-25 09:39:18 +00:00
|
|
|
, netGateway ? null
|
2024-02-12 12:05:37 +00:00
|
|
|
, whitelistPwd ? false
|
|
|
|
, extraConfig ? []
|
2024-02-12 11:20:40 +00:00
|
|
|
}:
|
|
|
|
let
|
2024-05-15 08:14:49 +00:00
|
|
|
allowPath = flavor: p: [
|
|
|
|
"--sanebox${flavor}-path"
|
2024-02-12 11:20:40 +00:00
|
|
|
p
|
|
|
|
];
|
2024-05-15 08:14:49 +00:00
|
|
|
allowPaths = flavor: paths: lib.flatten (builtins.map (allowPath flavor) paths);
|
2024-02-12 11:20:40 +00:00
|
|
|
|
2024-05-15 01:41:40 +00:00
|
|
|
capabilityFlags = lib.flatten (builtins.map (c: [ "--sanebox-cap" c ]) capabilities);
|
2024-02-12 11:20:40 +00:00
|
|
|
|
|
|
|
netItems = lib.optionals (netDev != null) [
|
2024-05-25 08:13:35 +00:00
|
|
|
"--sanebox-net-dev"
|
2024-02-12 11:20:40 +00:00
|
|
|
netDev
|
2024-05-25 09:39:18 +00:00
|
|
|
] ++ lib.optionals (netGateway != null) [
|
|
|
|
"--sanebox-net-gateway"
|
|
|
|
netGateway
|
2024-02-12 11:20:40 +00:00
|
|
|
] ++ lib.optionals (dns != null) (
|
|
|
|
lib.flatten (builtins.map
|
2024-05-15 01:41:40 +00:00
|
|
|
(addr: [ "--sanebox-dns" addr ])
|
2024-02-12 11:20:40 +00:00
|
|
|
dns
|
|
|
|
)
|
|
|
|
);
|
|
|
|
|
2024-05-15 09:12:54 +00:00
|
|
|
in
|
|
|
|
[
|
2024-05-15 01:41:40 +00:00
|
|
|
"--sanebox-method" method
|
2024-02-12 11:20:40 +00:00
|
|
|
]
|
2024-05-15 09:12:54 +00:00
|
|
|
++ netItems
|
|
|
|
++ allowPaths "" allowedPaths
|
|
|
|
++ allowPaths "-home" allowedHomePaths
|
|
|
|
++ allowPaths "-run" allowedRunPaths
|
|
|
|
++ capabilityFlags
|
|
|
|
++ lib.optionals (autodetectCliPaths != null) [ "--sanebox-autodetect" autodetectCliPaths ]
|
|
|
|
++ lib.optionals whitelistPwd [ "--sanebox-add-pwd" ]
|
|
|
|
++ extraConfig
|