programs: allow sane.strictSandboxing = "warn"

2024-02-05 05:28:02 +00:00 · 2024-02-05 05:28:02 +00:00 · 4d51c34ad2
commit 4d51c34ad2
parent bc50a8c489
1 changed files with 8 additions and 3 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -389,7 +389,7 @@ let
  configs = lib.mapAttrsToList (name: p: {
    assertions = [
      {
-        assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || !config.sane.strictSandboxing;
+        assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert";
        message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false.";
      }
      {
@ -401,6 +401,10 @@ let
      message = ''program "${sug}" referenced by "${name}", but not defined'';
    }) p.suggestedPrograms;

+    warnings = lib.mkIf (config.sane.strictSandboxing == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [
+      "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false."
+    ];
+
    system.checks = lib.optionals (p.enabled && p.sandbox.method != null && p.package != null) [
      p.package.passthru.checkSandboxed
    ];
@ -512,8 +516,8 @@ in
      '';
    };
    sane.strictSandboxing = mkOption {
-      type = types.bool;
-      default = false;
+      type = types.enum [ false "warn" "assert" ];
+      default = "warn";
      description = ''
        whether to require that every `sane.program` explicitly specify its sandbox settings.
      '';
@ -531,6 +535,7 @@ in
        sane.users = f.sane.users;
        sops.secrets = f.sops.secrets;
        system.checks = f.system.checks;
+        warnings = f.warnings;
      };
    in lib.mkMerge [
      (take (sane-lib.mkTypedMerge take configs))