From 0fd8dc2a01410f51f8c8099bbb17f7216c4ef5eb Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Thu, 4 Jul 2024 12:44:28 +0000
Subject: [PATCH] sane-scripts.stop-all-servo: sandbox (correctly, i hope)

---
 hosts/common/programs/sane-scripts.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index 42c5a367..fffe5ba2 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -206,7 +206,13 @@ in
       ];
     };
 
-    "sane-scripts.stop-all-servo" = {};
+    "sane-scripts.stop-all-servo".sandbox = {
+      method = "bwrap";
+      extraPaths = [
+        "/run/dbus"
+        "/run/systemd"
+      ];
+    };
 
     # if `tee` isn't trustworthy we have bigger problems
     "sane-scripts.sudo-redirect".sandbox.enable = false;