seatd: sandbox

2024-05-29 17:43:40 +00:00 · 2024-05-29 17:43:40 +00:00 · 4b9c125c8c
commit 4b9c125c8c
parent 0f7d25d8a5
1 changed files with 27 additions and 1 deletions
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@ -4,7 +4,29 @@ let
 in
 lib.mkMerge [
  {
-    sane.programs.seatd = {};
+    sane.programs.seatd = {
+      sandbox.method = "landlock";
+      sandbox.capabilities = [
+        "sys_tty_config" "sys_admin"
+        "chown"
+        "dac_override"  #< TODO: is there no way to get rid of this?
+      ];
+      sandbox.extraPaths = [
+        "/dev/dri"
+        # "/dev/drm_dp_aux0"
+        # "/dev/drm_dp_aux1"
+        # "/dev/drm_dp_aux2"
+        # "/dev/fb0"
+        "/dev/input"
+        # "/dev/uinput"
+        "/dev/tty0"
+        "/dev/tty1"
+        # "/dev"
+        # "/proc"
+        "/run"  #< TODO: confine this to some subdirectory
+        # "/sys"
+      ];
+    };
  }
  (lib.mkIf cfg.enabled {
    users.groups.seat = {};
@ -17,9 +39,13 @@ lib.mkMerge [
      wantedBy = [ "multi-user.target" ];
      restartIfChanged = false;

+      path = [ "/run/current-system/sw" ];  #< so `sanebox` works
+
      serviceConfig = {
        Type = "simple";
        ExecStart = "${cfg.package}/bin/seatd -g seat";
+        Group = "seat";
+        # AmbientCapabilities = [ "CAP_SYS_TTY_CONFIG" "CAP_SYS_ADMIN" ];
      };
    };
  })