networkmanager: cleanup
This commit is contained in:
@@ -24,97 +24,24 @@ in
|
|||||||
"net_admin"
|
"net_admin"
|
||||||
"net_raw"
|
"net_raw"
|
||||||
"net_bind_service" #< TODO: is this needed? why? (DNS?)
|
"net_bind_service" #< TODO: is this needed? why? (DNS?)
|
||||||
# "setgid"
|
# "sys_module"
|
||||||
# "setuid"
|
|
||||||
# "sys_module" #< TODO: is this needed?
|
|
||||||
"audit_write" #< allow writing to the audit log
|
"audit_write" #< allow writing to the audit log
|
||||||
# "kill"
|
# "kill"
|
||||||
# "sys_chroot"
|
|
||||||
];
|
];
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
# "/proc"
|
|
||||||
# "/run"
|
|
||||||
# "/sys"
|
|
||||||
# "/var/lib"
|
|
||||||
#^ works
|
|
||||||
|
|
||||||
# "/dev"
|
|
||||||
# "/proc"
|
|
||||||
# "/run"
|
|
||||||
# "/sys"
|
|
||||||
# "/var/lib/NetworkManager"
|
|
||||||
# "/var/lib/trust-dns" #< for trust-dns-nmhook
|
|
||||||
#^ works
|
|
||||||
|
|
||||||
# # "/dev/net"
|
|
||||||
# # "/dev/rfkill"
|
|
||||||
# # "/proc/sys/net"
|
|
||||||
# "/dev"
|
|
||||||
# "/proc"
|
|
||||||
# "/run/NetworkManager"
|
|
||||||
# "/run/dbus"
|
|
||||||
# "/run/log"
|
|
||||||
# "/run/resolvconf"
|
|
||||||
# "/run/secrets"
|
|
||||||
# "/run/systemd"
|
|
||||||
# "/run/udev"
|
|
||||||
# "/run/user"
|
|
||||||
# "/run/wg-home.priv"
|
|
||||||
# "/var/run/NetworkManager" #< legacy symlinks, which NM wants to crawl
|
|
||||||
# "/var/run/dbus"
|
|
||||||
# "/var/run/log"
|
|
||||||
# "/var/run/resolvconf"
|
|
||||||
# "/var/run/systemd"
|
|
||||||
# "/var/run/udev"
|
|
||||||
# "/var/run/user"
|
|
||||||
# "/sys"
|
|
||||||
# # "/sys/class/net"
|
|
||||||
# # "/sys/devices"
|
|
||||||
# "/var/lib/NetworkManager"
|
|
||||||
# "/var/lib/trust-dns" #< for trust-dns-nmhook
|
|
||||||
#^ works
|
|
||||||
|
|
||||||
# "/dev/net"
|
|
||||||
# "/dev/rfkill" #< TODO: check if really necessary!
|
|
||||||
# "/proc" #< TODO: specify this more precisely
|
|
||||||
# "/proc/acpi"
|
|
||||||
# "/proc/asound"
|
|
||||||
# "/proc/bus"
|
|
||||||
# "/proc/cpuinfo"
|
|
||||||
# "/proc/crypto"
|
|
||||||
# "/proc/devices"
|
|
||||||
# "/proc/driver"
|
|
||||||
# "/proc/fs"
|
|
||||||
# "/proc/irq"
|
|
||||||
# "/proc/modules"
|
|
||||||
# "/proc/net"
|
|
||||||
# "/proc/pressure"
|
|
||||||
"/proc/net"
|
"/proc/net"
|
||||||
"/proc/sys/net"
|
"/proc/sys/net"
|
||||||
# "/proc/sysvipc"
|
|
||||||
# "/proc/tty"
|
|
||||||
"/run/NetworkManager"
|
"/run/NetworkManager"
|
||||||
# "/run/dbus"
|
|
||||||
# "/run/secrets/net"
|
|
||||||
"/run/systemd" # for trust-dns-nmhook
|
"/run/systemd" # for trust-dns-nmhook
|
||||||
"/run/udev"
|
"/run/udev"
|
||||||
# "/run/wg-home.priv" #< TODO: move this into /run/secrets?
|
# "/run/wg-home.priv"
|
||||||
"/sys/class" #< TODO: specify this more precisely
|
"/sys/class" #< TODO: specify this more precisely
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
"/var/lib/NetworkManager"
|
"/var/lib/NetworkManager"
|
||||||
# "/var/lib/bluetooth"
|
|
||||||
# "/var/lib/cups"
|
|
||||||
# "/var/lib/etc_secrets"
|
|
||||||
# "/var/lib/machines"
|
|
||||||
# "/var/lib/nixos"
|
|
||||||
# "/var/lib/portables"
|
|
||||||
# "/var/lib/private"
|
|
||||||
# "/var/lib/systemd" #< rfkill?
|
|
||||||
"/var/lib/trust-dns" #< for trust-dns-nmhook
|
"/var/lib/trust-dns" #< for trust-dns-nmhook
|
||||||
# "/var/lib/udisks2"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
# sandbox.whitelistDbus = [ "system" ];
|
sandbox.whitelistDbus = [ "system" ]; #< apparently not actually needed?
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user