ModemManager: make the sandbox more strict

2024-05-30 19:24:55 +00:00 · 2024-05-30 19:24:55 +00:00 · 0fcc3f8d5d
commit 0fcc3f8d5d
parent 0bb887158b
1 changed files with 16 additions and 4 deletions
--- a/hosts/common/programs/modemmanager.nix
+++ b/hosts/common/programs/modemmanager.nix
@ -7,16 +7,28 @@ in
    # mmcli needs /run/current-system/sw/share/dbus-1 files to function
    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;

-    sandbox.method = "bwrap";
+    sandbox.method = "bwrap";  #< landlock also works
    sandbox.wrapperType = "inplace";  #< .pc files, GIR files with absolute paths,
-    sandbox.net = "all";
-    sandbox.isolatePids = false;
+    sandbox.net = "all";  #< needed for modem bringup
+    # sandbox.isolatePids = false;
    sandbox.capabilities = [
      "net_admin"
      "net_raw"
    ];
    sandbox.extraPaths = lib.warn "TODO: modemmanager: sandbox more aggressively" [
-      "/"
+      # "/"
+      "/dev" #v modem-power + net are not enough
+      # "/dev/modem-power"
+      # "/dev/net"
+      "/proc"
+      # /run  #v can likely be reduced more
+      "/run/dbus"
+      "/run/NetworkManager"
+      "/run/resolvconf"
+      "/run/systemd"
+      "/run/udev"
+      "/sys"
+      # "/var"
    ];
  };