modules/programs: support "sandbox.keepIpc = true"

modules/programs/default.nix

@@ -76,6 +76,7 @@ let
             autodetectCliPaths
             capabilities
             extraConfig
+            keepIpc
             keepPids
             tryKeepUsers
             method
@@ -355,6 +356,13 @@ let
           e.g. sandbox.capabilities = [ "net_admin" "net_raw" ];
         '';
       };
+      sandbox.keepIpc = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          if `false`, then the process is placed in a new IPC namespace, if the sandboxer supports that.
+        '';
+      };
       sandbox.keepPids = mkOption {
         type = types.bool;
         default = false;

modules/programs/make-sandbox-args.nix

@@ -7,6 +7,7 @@
   autodetectCliPaths ? false,
   capabilities ? [],
   dns ? null,
+  keepIpc ? false,
   keepPids ? false,
   tryKeepUsers ? false,
   netDev ? null,
@@ -19,6 +20,7 @@ let
     autodetectCliPaths = style: [ "--sanebox-autodetect" style ];
     capability = cap: [ "--sanebox-cap" cap ];
     dns = addr: [ "--sanebox-dns" addr ];
+    keepIpc = [ "--sanebox-keep-namespace" "ipc" ];
     keepPids = [ "--sanebox-keep-namespace" "pid" ];
     tryKeepUsers = [ "--sanebox-keep-namespace" "user" ];
     method = method: [ "--sanebox-method" method ];
@@ -32,6 +34,7 @@ let
   bunpenGenerators = {
     autodetectCliPaths = style: [ "--bunpen-autodetect" style ];
     capability = cap: [ "--bunpen-cap" cap ];
+    keepIpc = [ "--bunpen-keep-ipc" ];
     keepPids = [ "--bunpen-keep-pid" ];
     method = m: assert m == "bunpen";
       # smuggle in some defaults
@@ -79,6 +82,7 @@ in
   ++ allowPaths "-run" allowedRunPaths
   ++ capabilityFlags
   ++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths)
+  ++ lib.optionals keepIpc gen.keepIpc
   ++ lib.optionals keepPids gen.keepPids
   ++ lib.optionals tryKeepUsers gen.tryKeepUsers
   ++ lib.optionals whitelistPwd gen.whitelistPwd