programs: host/iproute2/iw/nettools/wirelesstools: sandbox
This commit is contained in:
parent
9510817604
commit
31fa21bd20
|
@ -22,7 +22,7 @@ in
|
|||
"iproute2"
|
||||
"iputils"
|
||||
"nettools"
|
||||
# if config.networking.wireless.enable:
|
||||
# if config.networking.wireless.enable (TODO: don't ship these on desko/servo!)
|
||||
"wirelesstools"
|
||||
"iw"
|
||||
];
|
||||
|
@ -475,6 +475,10 @@ in
|
|||
hdparm.sandbox.wrapperType = "wrappedDerivation";
|
||||
hdparm.sandbox.autodetectCliPaths = true;
|
||||
|
||||
host.sandbox.method = "landlock";
|
||||
host.sandbox.wrapperType = "wrappedDerivation";
|
||||
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
|
||||
|
||||
htop.sandbox.method = "landlock";
|
||||
htop.sandbox.wrapperType = "wrappedDerivation";
|
||||
htop.sandbox.extraPaths = [
|
||||
|
@ -510,11 +514,29 @@ in
|
|||
];
|
||||
iotop.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# provides `ip`, `routel`, others
|
||||
iproute2.sandbox.method = "landlock";
|
||||
iproute2.sandbox.wrapperType = "wrappedDerivation";
|
||||
iproute2.sandbox.net = "all";
|
||||
iproute2.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
iptables.sandbox.method = "landlock";
|
||||
iptables.sandbox.wrapperType = "wrappedDerivation";
|
||||
iptables.sandbox.net = "all";
|
||||
iptables.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# iputils provides `ping` (and arping, clockdiff, tracepath)
|
||||
# TODO: still being shadowed by non-sandboxed iputils
|
||||
# iputils.sandbox.method = "landlock";
|
||||
# iputils.sandbox.wrapperType = "wrappedDerivation";
|
||||
# iputils.sandbox.net = "all";
|
||||
# iputils.sandbox.capabilities = [ "net_raw" ];
|
||||
|
||||
iw.sandbox.method = "landlock";
|
||||
iw.sandbox.wrapperType = "wrappedDerivation";
|
||||
iw.sandbox.net = "all";
|
||||
iw.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# jq.sandbox.autodetectCliPaths = true; # liable to over-detect
|
||||
|
||||
killall.sandbox.method = "landlock";
|
||||
|
@ -594,6 +616,15 @@ in
|
|||
nethogs.sandbox.wrapperType = "wrappedDerivation";
|
||||
nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
|
||||
# provides `arp`, `hostname`, `route`, `ifconfig`
|
||||
nettools.sandbox.method = "landlock";
|
||||
nettools.sandbox.wrapperType = "wrappedDerivation";
|
||||
nettools.sandbox.net = "all";
|
||||
nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
nettools.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
];
|
||||
|
||||
networkmanagerapplet.sandbox.method = "bwrap";
|
||||
networkmanagerapplet.sandbox.wrapperType = "wrappedDerivation";
|
||||
networkmanagerapplet.sandbox.whitelistWayland = true;
|
||||
|
@ -812,6 +843,11 @@ in
|
|||
|
||||
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
||||
|
||||
# provides `iwconfig`, `iwlist`, `iwpriv`, ...
|
||||
wirelesstools.sandbox.method = "landlock";
|
||||
wirelesstools.sandbox.wrapperType = "wrappedDerivation";
|
||||
wirelesstools.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
wl-clipboard.sandbox.method = "bwrap";
|
||||
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
|
||||
wl-clipboard.sandbox.whitelistWayland = true;
|
||||
|
|
Loading…
Reference in New Issue
Block a user