From 3fd89ec91be185053e2cc94d924ed3eaefaf6962 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 16 Feb 2024 05:28:17 +0000
Subject: [PATCH] programs: sandbox powertop

---
 hosts/common/programs/assorted.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 5b3e5873..2fcd85fa 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -508,6 +508,16 @@ in
 
     "perlPackages.FileMimeInfo".sandbox.enable = false;  #< TODO: sandbox `mimetype` but not `mimeopen`.
 
+    powertop.sandbox.method = "landlock";
+    powertop.sandbox.wrapperType = "wrappedDerivation";
+    powertop.sandbox.capabilities = [ "cap_ipc_lock" "cap_sys_admin" ];
+    powertop.sandbox.extraPaths = [
+      "/proc"
+      "/sys/class"
+      "/sys/devices"
+      "/sys/kernel"
+    ];
+
     pwvucontrol.sandbox.method = "bwrap";
     pwvucontrol.sandbox.wrapperType = "wrappedDerivation";
     pwvucontrol.sandbox.whitelistAudio = true;