colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sanebox: populate --sanebox-net-dev with the actual net device -- not the bridge

Browse Source
This commit is contained in:
Colin 2024-05-25 08:17:38 +00:00
parent ffe599e5cb
commit 118ed5f950
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/programs/default.nix
View File

@ -71,7 +71,7 @@ let
whitelistPwd whitelistPwd
; ;
netDev = if sandbox.net == "vpn" then netDev = if sandbox.net == "vpn" then
vpn.bridgeDevice vpn.name
else else
sandbox.net; sandbox.net;
dns = if sandbox.net == "vpn" then dns = if sandbox.net == "vpn" then

4
pkgs/additional/sanebox/sanebox
View File

@ -574,7 +574,9 @@ firejailIngestPath() {
esac esac
} }
firejailIngestNetDev() { firejailIngestNetDev() {
firejailFlags+=("--net=$1") # XXX: to use a VPN tunnel named `vpn-xyz`, we keep around and link it to a bridge `br-vpn-xyz` externally.
# firejail can then spawn a veth from this bridge and namespace it that way.
firejailFlags+=("--net=br-$1")
} }
firejailIngestDns() { firejailIngestDns() {
firejailFlags+=("--dns=$1") firejailFlags+=("--dns=$1")