programs: inetutils/iptables: sandbox
This commit is contained in:
parent
ab42a4cc5a
commit
4a84de3ee4
|
@ -468,17 +468,9 @@ in
|
|||
iftop.sandbox.capabilities = [ "net_raw" ];
|
||||
|
||||
# inetutils: ping, ifconfig, hostname, traceroute, whois, ....
|
||||
# TODO: requires more than this;
|
||||
# - also, sandboxed `ping` doesn't make it onto /run/current-system/sw/bin; unsandboxed `ping` does instead
|
||||
# inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
||||
# inetutils.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
||||
iotop.sandbox.method = "landlock";
|
||||
iotop.sandbox.wrapperType = "wrappedDerivation";
|
||||
iotop.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
];
|
||||
iotop.sandbox.capabilities = [ "net_admin" ];
|
||||
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
||||
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
||||
inetutils.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
||||
inkscape.sandbox.method = "bwrap";
|
||||
inkscape.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
@ -492,6 +484,18 @@ in
|
|||
];
|
||||
inkscape.sandbox.autodetectCliPaths = true;
|
||||
|
||||
iotop.sandbox.method = "landlock";
|
||||
iotop.sandbox.wrapperType = "wrappedDerivation";
|
||||
iotop.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
];
|
||||
iotop.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
iptables.sandbox.method = "landlock";
|
||||
iptables.sandbox.wrapperType = "wrappedDerivation";
|
||||
iptables.sandbox.net = "all";
|
||||
iptables.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# jq.sandbox.autodetectCliPaths = true; # liable to over-detect
|
||||
|
||||
killall.sandbox.method = "landlock";
|
||||
|
|
Loading…
Reference in New Issue
Block a user