sanebox: populate --sanebox-net-dev with the actual net device -- not the bridge

2024-05-25 08:17:38 +00:00 · 2024-05-25 08:17:38 +00:00 · 118ed5f950
commit 118ed5f950
parent ffe599e5cb
2 changed files with 4 additions and 2 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -71,7 +71,7 @@ let
            whitelistPwd
          ;
          netDev = if sandbox.net == "vpn" then
-            vpn.bridgeDevice
+            vpn.name
          else
            sandbox.net;
          dns = if sandbox.net == "vpn" then
--- a/pkgs/additional/sanebox/sanebox
+++ b/pkgs/additional/sanebox/sanebox
@ -574,7 +574,9 @@ firejailIngestPath() {
  esac
 }
 firejailIngestNetDev() {
-  firejailFlags+=("--net=$1")
+  # XXX: to use a VPN tunnel named `vpn-xyz`, we keep around and link it to a bridge `br-vpn-xyz` externally.
+  # firejail can then spawn a veth from this bridge and namespace it that way.
+  firejailFlags+=("--net=br-$1")
 }
 firejailIngestDns() {
  firejailFlags+=("--dns=$1")