seatd: sandbox
This commit is contained in:
parent
0f7d25d8a5
commit
4b9c125c8c
|
@ -4,7 +4,29 @@ let
|
|||
in
|
||||
lib.mkMerge [
|
||||
{
|
||||
sane.programs.seatd = {};
|
||||
sane.programs.seatd = {
|
||||
sandbox.method = "landlock";
|
||||
sandbox.capabilities = [
|
||||
"sys_tty_config" "sys_admin"
|
||||
"chown"
|
||||
"dac_override" #< TODO: is there no way to get rid of this?
|
||||
];
|
||||
sandbox.extraPaths = [
|
||||
"/dev/dri"
|
||||
# "/dev/drm_dp_aux0"
|
||||
# "/dev/drm_dp_aux1"
|
||||
# "/dev/drm_dp_aux2"
|
||||
# "/dev/fb0"
|
||||
"/dev/input"
|
||||
# "/dev/uinput"
|
||||
"/dev/tty0"
|
||||
"/dev/tty1"
|
||||
# "/dev"
|
||||
# "/proc"
|
||||
"/run" #< TODO: confine this to some subdirectory
|
||||
# "/sys"
|
||||
];
|
||||
};
|
||||
}
|
||||
(lib.mkIf cfg.enabled {
|
||||
users.groups.seat = {};
|
||||
|
@ -17,9 +39,13 @@ lib.mkMerge [
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
restartIfChanged = false;
|
||||
|
||||
path = [ "/run/current-system/sw" ]; #< so `sanebox` works
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${cfg.package}/bin/seatd -g seat";
|
||||
Group = "seat";
|
||||
# AmbientCapabilities = [ "CAP_SYS_TTY_CONFIG" "CAP_SYS_ADMIN" ];
|
||||
};
|
||||
};
|
||||
})
|
||||
|
|
Loading…
Reference in New Issue
Block a user