ModemManager: make the sandbox more strict
This commit is contained in:
parent
0bb887158b
commit
0fcc3f8d5d
|
@ -7,16 +7,28 @@ in
|
|||
# mmcli needs /run/current-system/sw/share/dbus-1 files to function
|
||||
enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.method = "bwrap"; #< landlock also works
|
||||
sandbox.wrapperType = "inplace"; #< .pc files, GIR files with absolute paths,
|
||||
sandbox.net = "all";
|
||||
sandbox.isolatePids = false;
|
||||
sandbox.net = "all"; #< needed for modem bringup
|
||||
# sandbox.isolatePids = false;
|
||||
sandbox.capabilities = [
|
||||
"net_admin"
|
||||
"net_raw"
|
||||
];
|
||||
sandbox.extraPaths = lib.warn "TODO: modemmanager: sandbox more aggressively" [
|
||||
"/"
|
||||
# "/"
|
||||
"/dev" #v modem-power + net are not enough
|
||||
# "/dev/modem-power"
|
||||
# "/dev/net"
|
||||
"/proc"
|
||||
# /run #v can likely be reduced more
|
||||
"/run/dbus"
|
||||
"/run/NetworkManager"
|
||||
"/run/resolvconf"
|
||||
"/run/systemd"
|
||||
"/run/udev"
|
||||
"/sys"
|
||||
# "/var"
|
||||
];
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user