From 2d17826731fe03e3c3a4741f6e206de22b50d30d Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 19 Feb 2024 15:32:40 +0000
Subject: [PATCH] programs: eza: sandbox with bwrap instead of landlock

---
 hosts/common/programs/assorted.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index e079cd04..8a7d19b4 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -324,7 +324,10 @@ in
     ethtool.sandbox.wrapperType = "wrappedDerivation";
     ethtool.sandbox.capabilities = [ "net_admin" ];
 
-    eza.sandbox.method = "landlock";  # ls replacement
+    # eza `ls` replacement
+    # landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
+    # eza.sandbox.method = "landlock";
+    eza.sandbox.method = "bwrap";
     eza.sandbox.wrapperType = "wrappedDerivation";  # slow to build
     eza.sandbox.autodetectCliPaths = true;
     eza.sandbox.whitelistPwd = true;