curlftpfs: document sandbox attempt

2024-04-23 06:13:05 +00:00 · 2024-04-23 06:13:05 +00:00 · 10fc7bbb84
commit 10fc7bbb84
parent 87e3f2a9ef
1 changed files with 10 additions and 0 deletions
--- a/hosts/common/programs/curlftpfs.nix
+++ b/hosts/common/programs/curlftpfs.nix
@ -21,5 +21,15 @@
        ln -s curlftpfs $out/bin/mount.curlftpfs
      '';
    });
+
+    # TODO: try to sandbox this better? maybe i can have fuse (unsandboxed) invoke curlftpfs (sandboxed)?
+    # - landlock gives EPERM
+    # - bwrap just silently doesn't mount it, maybe because of setuid stuff around fuse?
+    # sandbox.method = "capshonly";
+    # sandbox.net = "all";
+    # sandbox.capabilities = [
+    #   "sys_admin"
+    #   "sys_module"
+    # ];
  };
 }