modules/programs: add a whitelistPwd
option to grant the program access to the directory it was called from
This commit is contained in:
parent
97129268f0
commit
3eb3a8db5a
|
@ -259,6 +259,13 @@ let
|
|||
if a CLI argument looks like a PATH, should we add it to the sandbox?
|
||||
'';
|
||||
};
|
||||
sandbox.whitelistPwd = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
allow the program full access to whichever directory it was launched from.
|
||||
'';
|
||||
};
|
||||
sandbox.binMap = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {};
|
||||
|
|
|
@ -15,7 +15,7 @@ let
|
|||
runHook postFixup
|
||||
'';
|
||||
in
|
||||
{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
|
||||
{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? false, binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false, whitelistPwd ? false }:
|
||||
let
|
||||
sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
|
||||
|
||||
|
@ -46,6 +46,7 @@ let
|
|||
++ allowHomePaths allowedHomePaths
|
||||
++ capabilityFlags
|
||||
++ lib.optionals autodetectCliPaths [ "--sane-sandbox-autodetect" ]
|
||||
++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
|
||||
++ lib.optionals (vpn != null) vpnItems
|
||||
++ extraConfig;
|
||||
|
||||
|
|
|
@ -166,6 +166,10 @@ parseArgs() {
|
|||
shift
|
||||
rootPaths+=("$_path")
|
||||
;;
|
||||
(--sand-sandbox-add-pwd)
|
||||
_path="$(pwd)"
|
||||
rootPaths+=("$_path")
|
||||
;;
|
||||
(--sane-sandbox-profile)
|
||||
tryLoadProfileByName "$1"
|
||||
shift
|
||||
|
|
Loading…
Reference in New Issue
Block a user