From 41b1a013d7b3b6ff89777e94f343ab6149e38f8c Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 19 Feb 2024 17:09:27 +0000
Subject: [PATCH] programs: sane-sudo-redirect: disable sandbox

---
 hosts/common/programs/sane-scripts.nix              | 3 +++
 pkgs/additional/sane-scripts/src/sane-sudo-redirect | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index 71771954..12598d9c 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -128,6 +128,9 @@ in
       extraPaths = [ "/nix/var/nix" ];
     };
 
+    # if `tee` isn't trustworthy we have bigger problems
+    "sane-scripts.sudo-redirect".sandbox.enable = false;
+
     "sane-scripts.which".sandbox = {
       method = "bwrap";
       wrapperType = "wrappedDerivation";
diff --git a/pkgs/additional/sane-scripts/src/sane-sudo-redirect b/pkgs/additional/sane-scripts/src/sane-sudo-redirect
index 998b8595..d5c145d8 100755
--- a/pkgs/additional/sane-scripts/src/sane-sudo-redirect
+++ b/pkgs/additional/sane-scripts/src/sane-sudo-redirect
@@ -14,4 +14,4 @@
 # $ sudo do_thing | sane-sudo-redirect /into/file
 # ```
 
-exec sudo tee $@ > /dev/null
+exec sudo tee "$@" > /dev/null