modules/programs: add a whitelistPwd
option to grant the program access to the directory it was called from
This commit is contained in:
parent
97129268f0
commit
3eb3a8db5a
|
@ -259,6 +259,13 @@ let
|
||||||
if a CLI argument looks like a PATH, should we add it to the sandbox?
|
if a CLI argument looks like a PATH, should we add it to the sandbox?
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
sandbox.whitelistPwd = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
allow the program full access to whichever directory it was launched from.
|
||||||
|
'';
|
||||||
|
};
|
||||||
sandbox.binMap = mkOption {
|
sandbox.binMap = mkOption {
|
||||||
type = types.attrsOf types.str;
|
type = types.attrsOf types.str;
|
||||||
default = {};
|
default = {};
|
||||||
|
|
|
@ -15,7 +15,7 @@ let
|
||||||
runHook postFixup
|
runHook postFixup
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
|
{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? false, binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false, whitelistPwd ? false }:
|
||||||
let
|
let
|
||||||
sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
|
sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
|
||||||
|
|
||||||
|
@ -46,6 +46,7 @@ let
|
||||||
++ allowHomePaths allowedHomePaths
|
++ allowHomePaths allowedHomePaths
|
||||||
++ capabilityFlags
|
++ capabilityFlags
|
||||||
++ lib.optionals autodetectCliPaths [ "--sane-sandbox-autodetect" ]
|
++ lib.optionals autodetectCliPaths [ "--sane-sandbox-autodetect" ]
|
||||||
|
++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
|
||||||
++ lib.optionals (vpn != null) vpnItems
|
++ lib.optionals (vpn != null) vpnItems
|
||||||
++ extraConfig;
|
++ extraConfig;
|
||||||
|
|
||||||
|
|
|
@ -166,6 +166,10 @@ parseArgs() {
|
||||||
shift
|
shift
|
||||||
rootPaths+=("$_path")
|
rootPaths+=("$_path")
|
||||||
;;
|
;;
|
||||||
|
(--sand-sandbox-add-pwd)
|
||||||
|
_path="$(pwd)"
|
||||||
|
rootPaths+=("$_path")
|
||||||
|
;;
|
||||||
(--sane-sandbox-profile)
|
(--sane-sandbox-profile)
|
||||||
tryLoadProfileByName "$1"
|
tryLoadProfileByName "$1"
|
||||||
shift
|
shift
|
||||||
|
|
Loading…
Reference in New Issue
Block a user