From 3cd244be762a76d3061083988cfc97c375a80b70 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 28 Jan 2024 10:36:19 +0000
Subject: [PATCH] git: sandbox with bwrap

---
 hosts/common/programs/git.nix | 65 ++++++++++++++++++++---------------
 1 file changed, 38 insertions(+), 27 deletions(-)

diff --git a/hosts/common/programs/git.nix b/hosts/common/programs/git.nix
index 4bfbf6cf8..fc5da558c 100644
--- a/hosts/common/programs/git.nix
+++ b/hosts/common/programs/git.nix
@@ -6,38 +6,49 @@ let
   mkCfg = lib.generators.toINI { };
 in
 {
-  sane.programs.git.fs.".config/git/config".symlink.text = mkCfg {
-    # top-level options documented:
-    # - <https://git-scm.com/docs/git-config#_variables>
+  sane.programs.git = {
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";  # can't pass installCheckPhase :?
+    sandbox.whitelistPwd = true;
+    sandbox.extraHomePaths = [
+      # even with `whitelistPwd`, git has to crawl *up* the path -- which isn't necessarily in the sandbox -- to locate parent .git files
+      "dev"
+      "ref"
+      ".ssh/id_ed25519"
+    ];
+    fs.".config/git/config".symlink.text = mkCfg {
+      # top-level options documented:
+      # - <https://git-scm.com/docs/git-config#_variables>
 
-    user.name = "Colin";
-    user.email = "colin@uninsane.org";
+      user.name = "Colin";
+      user.email = "colin@uninsane.org";
 
-    alias.amend   = "commit --amend --no-edit";
-    alias.br      = "branch";
-    alias.co      = "checkout";
-    alias.cp      = "cherry-pick";
-    alias.d       = "difftool";
-    alias.dif     = "diff";  # common typo
-    alias.difsum  = "diff --compact-summary";  #< show only the list of files which changed, not contents
-    alias.rb      = "rebase";
-    alias.st      = "status";
-    alias.stat    = "status";
+      alias.amend   = "commit --amend --no-edit";
+      alias.br      = "branch";
+      alias.co      = "checkout";
+      alias.cp      = "cherry-pick";
+      alias.d       = "difftool";
+      alias.dif     = "diff";  # common typo
+      alias.difsum  = "diff --compact-summary";  #< show only the list of files which changed, not contents
+      alias.rb      = "rebase";
+      alias.st      = "status";
+      alias.stat    = "status";
 
-    diff.noprefix = true;  #< don't show a/ or b/ prefixes in diffs
-    # difftastic docs:
-    # - <https://difftastic.wilfred.me.uk/git.html>
-    diff.tool = "difftastic";
-    difftool.prompt = false;
-    "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
-    # now run `git difftool` to use difftastic git
+      diff.noprefix = true;  #< don't show a/ or b/ prefixes in diffs
+      # difftastic docs:
+      # - <https://difftastic.wilfred.me.uk/git.html>
+      diff.tool = "difftastic";
+      difftool.prompt = false;
+      "difftool \"difftastic\"".cmd = ''${pkgs.difftastic}/bin/difft "$LOCAL" "$REMOTE"'';
+      # now run `git difftool` to use difftastic git
 
-    # render dates as YYYY-MM-DD HH:MM:SS +TZ
-    log.date = "iso";
+      # render dates as YYYY-MM-DD HH:MM:SS +TZ
+      log.date = "iso";
 
-    sendemail.annotate = "yes";
-    sendemail.confirm = "always";
+      sendemail.annotate = "yes";
+      sendemail.confirm = "always";
 
-    stash.showPatch = true;
+      stash.showPatch = true;
+    };
   };
 }