diff --git a/modules/programs/make-sandbox-args.nix b/modules/programs/make-sandbox-args.nix index 702645edb..2091966a0 100644 --- a/modules/programs/make-sandbox-args.nix +++ b/modules/programs/make-sandbox-args.nix @@ -54,7 +54,12 @@ let "stderr" # bwrap also does some stuff for /dev/{console,core,ptmx,pts,shm}, i don't need those (yet?) ]); - netDev = n: if n == "all" then [ "--bunpen-keep-net" ] else [ "--bunpen-net-dev" n ]; + # if we need any sort of networking, keep /dev/net/tun. pasta will need that to create its tunnel. + # TODO: is this safe? + netDev = n: if n == "all" then + [ "--bunpen-path" "/dev/net/tun" "--bunpen-keep-net" ] + else + [ "--bunpen-path" "/dev/net/tun" "--bunpen-net-dev" n ]; netGateway = netGateway: [ "--bunpen-net-gateway" netGateway ]; path = p: [ "--bunpen-path" p ]; path-home = p: [ "--bunpen-home-path" p ];