programs: forkstat: sandbox

2024-02-19 13:15:15 +00:00 · 2024-02-19 13:15:15 +00:00 · 44647e0d36
commit 44647e0d36
parent da1053d635
1 changed files with 9 additions and 0 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -401,6 +401,15 @@ in
      withWebkit = false;
    };

+    forkstat.sandbox.method = "landlock";  #< doesn't seem to support bwrap
+    forkstat.sandbox.wrapperType = "wrappedDerivation";
+    forkstat.sandbox.extraConfig = [
+      "--sane-sandbox-keep-pidspace"
+    ];
+    forkstat.sandbox.extraPaths = [
+      "/proc"
+    ];
+
    # fuzzel: TODO: re-enable sandbox. i use fuzzel both as an entry system (snippets) AND an app-launcher.
    #   as an app-launcher, it cannot be sandboxed without over-restricting the app it launches.
    #   should probably make it not be an app-launcher