From 1cc809b347ed460b0757e76e206448c57604d30c Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Thu, 19 Sep 2024 23:10:28 +0000
Subject: [PATCH] avahi: sandbox with bunpen

---
 hosts/common/programs/avahi.nix | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/hosts/common/programs/avahi.nix b/hosts/common/programs/avahi.nix
index 45052f829..4568e7f93 100644
--- a/hosts/common/programs/avahi.nix
+++ b/hosts/common/programs/avahi.nix
@@ -19,7 +19,7 @@ in
     packageUnwrapped = pkgs.avahi.overrideAttrs (upstream: {
       # avahi wants to do its own sandboxing opaque to systemd & maybe in conflict with my bwrap.
       # --no-drop-root disables that, so that i can e.g. run it as User=avahi, etc.
-      # do this here, because the service isn't so easily patched.
+      # do this here, because the nixos service isn't so easily patched.
       postInstall = (upstream.postInstall or "") + ''
         wrapProgram "$out/sbin/avahi-daemon" \
           --add-flags --no-drop-root
@@ -28,17 +28,15 @@ in
         pkgs.makeBinaryWrapper
       ];
     });
-    sandbox.method = "bwrap";
+    sandbox.method = "bunpen";
     sandbox.whitelistDbus = [ "system" ];
     sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
-    sandbox.extraPaths = [
-      "/"  #< TODO: decrease this, but be weary that the daemon might exit immediately
-    ];
+    # sandbox.extraPaths = [ ];  #< may be missing some paths; only tried service discovery, not service advertisement.
   };
 
   services.avahi = lib.mkIf cfg.enabled {
     enable = true;
-    package = cfg.package;
+    package = cfg.packageUnwrapped;  #< use systemd sandboxing... not my own
     publish.enable = true;
     publish.userServices = true;
     nssmdns4 = true;