programs: inetutils/iptables: sandbox
This commit is contained in:
@@ -468,17 +468,9 @@ in
|
|||||||
iftop.sandbox.capabilities = [ "net_raw" ];
|
iftop.sandbox.capabilities = [ "net_raw" ];
|
||||||
|
|
||||||
# inetutils: ping, ifconfig, hostname, traceroute, whois, ....
|
# inetutils: ping, ifconfig, hostname, traceroute, whois, ....
|
||||||
# TODO: requires more than this;
|
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
||||||
# - also, sandboxed `ping` doesn't make it onto /run/current-system/sw/bin; unsandboxed `ping` does instead
|
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
||||||
# inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
inetutils.sandbox.wrapperType = "wrappedDerivation";
|
||||||
# inetutils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
|
|
||||||
iotop.sandbox.method = "landlock";
|
|
||||||
iotop.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
iotop.sandbox.extraPaths = [
|
|
||||||
"/proc"
|
|
||||||
];
|
|
||||||
iotop.sandbox.capabilities = [ "net_admin" ];
|
|
||||||
|
|
||||||
inkscape.sandbox.method = "bwrap";
|
inkscape.sandbox.method = "bwrap";
|
||||||
inkscape.sandbox.wrapperType = "wrappedDerivation";
|
inkscape.sandbox.wrapperType = "wrappedDerivation";
|
||||||
@@ -492,6 +484,18 @@ in
|
|||||||
];
|
];
|
||||||
inkscape.sandbox.autodetectCliPaths = true;
|
inkscape.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
|
iotop.sandbox.method = "landlock";
|
||||||
|
iotop.sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
iotop.sandbox.extraPaths = [
|
||||||
|
"/proc"
|
||||||
|
];
|
||||||
|
iotop.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
|
iptables.sandbox.method = "landlock";
|
||||||
|
iptables.sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
iptables.sandbox.net = "all";
|
||||||
|
iptables.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
# jq.sandbox.autodetectCliPaths = true; # liable to over-detect
|
# jq.sandbox.autodetectCliPaths = true; # liable to over-detect
|
||||||
|
|
||||||
killall.sandbox.method = "landlock";
|
killall.sandbox.method = "landlock";
|
||||||
|
Reference in New Issue
Block a user