From 3eb3a8db5a7d23051785916d6596318fad546287 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 28 Jan 2024 05:57:30 +0000
Subject: [PATCH] modules/programs: add a `whitelistPwd` option to grant the
 program access to the directory it was called from

---
 modules/programs/default.nix        | 7 +++++++
 modules/programs/make-sandboxed.nix | 3 ++-
 modules/programs/sane-sandboxed     | 4 ++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index a140031c..f9115671 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -259,6 +259,13 @@ let
           if a CLI argument looks like a PATH, should we add it to the sandbox?
         '';
       };
+      sandbox.whitelistPwd = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          allow the program full access to whichever directory it was launched from.
+        '';
+      };
       sandbox.binMap = mkOption {
         type = types.attrsOf types.str;
         default = {};
diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix
index dbdfde09..b233efaa 100644
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -15,7 +15,7 @@ let
     runHook postFixup
   '';
 in
-{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
+{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? false, binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false, whitelistPwd ? false }:
 let
   sane-sandboxed' = sane-sandboxed.meta.mainProgram;  #< load by bin name to reduce rebuilds
 
@@ -46,6 +46,7 @@ let
     ++ allowHomePaths allowedHomePaths
     ++ capabilityFlags
     ++ lib.optionals autodetectCliPaths [ "--sane-sandbox-autodetect" ]
+    ++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
     ++ lib.optionals (vpn != null) vpnItems
     ++ extraConfig;
 
diff --git a/modules/programs/sane-sandboxed b/modules/programs/sane-sandboxed
index 3bf1d097..48e53acb 100644
--- a/modules/programs/sane-sandboxed
+++ b/modules/programs/sane-sandboxed
@@ -166,6 +166,10 @@ parseArgs() {
         shift
         rootPaths+=("$_path")
         ;;
+      (--sand-sandbox-add-pwd)
+        _path="$(pwd)"
+        rootPaths+=("$_path")
+        ;;
       (--sane-sandbox-profile)
         tryLoadProfileByName "$1"
         shift