programs: sane-private-change-passwd: sandbox

note that this is entirely untested
2024-02-25 16:35:13 +00:00 · 2024-02-25 16:35:13 +00:00 · 036145e6ba
commit 036145e6ba
parent 5b647a1a90
1 changed files with 10 additions and 0 deletions
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@ -121,6 +121,16 @@ in
      net = "all";
    };

+    "sane-scripts.private-change-passwd".sandbox = {
+      method = "bwrap";
+      wrapperType = "wrappedDerivation";
+      autodetectCliPaths = "existing";  #< for the new `private` location
+      capabilities = [ "sys_admin" ];  # it needs to mount the new store
+      extraHomePaths = [
+        ".persist/private"
+      ];
+    };
+
    "sane-scripts.private-do".sandbox = {
      # because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
      # instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.