programs: sane-private-change-passwd: sandbox
note that this is entirely untested
This commit is contained in:
parent
5b647a1a90
commit
036145e6ba
|
@ -121,6 +121,16 @@ in
|
||||||
net = "all";
|
net = "all";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"sane-scripts.private-change-passwd".sandbox = {
|
||||||
|
method = "bwrap";
|
||||||
|
wrapperType = "wrappedDerivation";
|
||||||
|
autodetectCliPaths = "existing"; #< for the new `private` location
|
||||||
|
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
||||||
|
extraHomePaths = [
|
||||||
|
".persist/private"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
"sane-scripts.private-do".sandbox = {
|
"sane-scripts.private-do".sandbox = {
|
||||||
# because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
|
# because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
|
||||||
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user