colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

avahi: sandbox with bunpen

Browse Source
This commit is contained in:
Colin
2024-09-19 23:10:28 +00:00
parent 9e74297acd
commit 1cc809b347
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/common/programs/avahi.nix
View File

@@ -19,7 +19,7 @@ in
packageUnwrapped = pkgs.avahi.overrideAttrs (upstream: {
# avahi wants to do its own sandboxing opaque to systemd & maybe in conflict with my bwrap.
# --no-drop-root disables that, so that i can e.g. run it as User=avahi, etc.
# do this here, because the service isn't so easily patched.
# do this here, because the nixos service isn't so easily patched.
postInstall = (upstream.postInstall or "") + ''
wrapProgram "$out/sbin/avahi-daemon" \
--add-flags --no-drop-root
@@ -28,17 +28,15 @@ in
pkgs.makeBinaryWrapper
];
});
sandbox.method = "bwrap";
sandbox.method = "bunpen";
sandbox.whitelistDbus = [ "system" ];
sandbox.net = "all"; #< otherwise it will show 'null' in place of each interface name.
sandbox.extraPaths = [
"/" #< TODO: decrease this, but be weary that the daemon might exit immediately
];
# sandbox.extraPaths = [ ]; #< may be missing some paths; only tried service discovery, not service advertisement.
};
services.avahi = lib.mkIf cfg.enabled {
enable = true;
package = cfg.package;
package = cfg.packageUnwrapped; #< use systemd sandboxing... not my own
publish.enable = true;
publish.userServices = true;
nssmdns4 = true;