programs: sandbox nethogs, nmon, nixpkgs-review

2024-02-16 05:27:50 +00:00 · 2024-02-16 05:27:50 +00:00 · 1a972927b6
commit 1a972927b6
parent 5f3ec42f57
1 changed files with 18 additions and 0 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -473,6 +473,24 @@ in
    nano.sandbox.wrapperType = "wrappedDerivation";
    nano.sandbox.autodetectCliPaths = "existingFileOrParent";

+    nethogs.sandbox.method = "capshonly";  # *partially* works under landlock w/ full access to /
+    nethogs.sandbox.wrapperType = "wrappedDerivation";
+    nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
+
+    nmon.sandbox.method = "landlock";
+    nmon.sandbox.wrapperType = "wrappedDerivation";
+    nmon.sandbox.extraPaths = [
+      "/proc"
+    ];
+
+    nixpkgs-review.sandbox.method = "bwrap";
+    nixpkgs-review.sandbox.wrapperType = "inplace";  #< shell completions use full paths
+    nixpkgs-review.sandbox.net = "clearnet";
+    nixpkgs-review.sandbox.whitelistPwd = true;
+    nixpkgs-review.sandbox.extraPaths = [
+      "/nix"
+    ];
+
    # settings (electron app)
    obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];