modules/programs: add a whitelistPwd option to grant the program access to the directory it was called from

modules/programs/default.nix

@@ -259,6 +259,13 @@ let
           if a CLI argument looks like a PATH, should we add it to the sandbox?
         '';
       };
+      sandbox.whitelistPwd = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          allow the program full access to whichever directory it was launched from.
+        '';
+      };
       sandbox.binMap = mkOption {
         type = types.attrsOf types.str;
         default = {};

modules/programs/make-sandboxed.nix

@@ -15,7 +15,7 @@ let
     runHook postFixup
   '';
 in
-{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
+{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? false, binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false, whitelistPwd ? false }:
 let
   sane-sandboxed' = sane-sandboxed.meta.mainProgram;  #< load by bin name to reduce rebuilds
 
@@ -46,6 +46,7 @@ let
     ++ allowHomePaths allowedHomePaths
     ++ capabilityFlags
     ++ lib.optionals autodetectCliPaths [ "--sane-sandbox-autodetect" ]
+    ++ lib.optionals whitelistPwd [ "--sane-sandbox-add-pwd" ]
     ++ lib.optionals (vpn != null) vpnItems
     ++ extraConfig;
 

modules/programs/sane-sandboxed

@@ -166,6 +166,10 @@ parseArgs() {
         shift
         rootPaths+=("$_path")
         ;;
+      (--sand-sandbox-add-pwd)
+        _path="$(pwd)"
+        rootPaths+=("$_path")
+        ;;
       (--sane-sandbox-profile)
         tryLoadProfileByName "$1"
         shift