From 036145e6baedb83c3341bfff372ec54a9154b46b Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 25 Feb 2024 16:35:13 +0000
Subject: [PATCH] programs: sane-private-change-passwd: sandbox

note that this is entirely untested
---
 hosts/common/programs/sane-scripts.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index 5709c191..e0926a02 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -121,6 +121,16 @@ in
       net = "all";
     };
 
+    "sane-scripts.private-change-passwd".sandbox = {
+      method = "bwrap";
+      wrapperType = "wrappedDerivation";
+      autodetectCliPaths = "existing";  #< for the new `private` location
+      capabilities = [ "sys_admin" ];  # it needs to mount the new store
+      extraHomePaths = [
+        ".persist/private"
+      ];
+    };
+
     "sane-scripts.private-do".sandbox = {
       # because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
       # instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.