programs: sane-private-change-passwd: sandbox
note that this is entirely untested
This commit is contained in:
parent
5b647a1a90
commit
036145e6ba
|
@ -121,6 +121,16 @@ in
|
|||
net = "all";
|
||||
};
|
||||
|
||||
"sane-scripts.private-change-passwd".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
autodetectCliPaths = "existing"; #< for the new `private` location
|
||||
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
||||
extraHomePaths = [
|
||||
".persist/private"
|
||||
];
|
||||
};
|
||||
|
||||
"sane-scripts.private-do".sandbox = {
|
||||
# because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
|
||||
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
||||
|
|
Loading…
Reference in New Issue
Block a user