programs: allow sane.strictSandboxing = "warn"
This commit is contained in:
parent
bc50a8c489
commit
4d51c34ad2
|
@ -389,7 +389,7 @@ let
|
||||||
configs = lib.mapAttrsToList (name: p: {
|
configs = lib.mapAttrsToList (name: p: {
|
||||||
assertions = [
|
assertions = [
|
||||||
{
|
{
|
||||||
assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || !config.sane.strictSandboxing;
|
assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert";
|
||||||
message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false.";
|
message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false.";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
@ -401,6 +401,10 @@ let
|
||||||
message = ''program "${sug}" referenced by "${name}", but not defined'';
|
message = ''program "${sug}" referenced by "${name}", but not defined'';
|
||||||
}) p.suggestedPrograms;
|
}) p.suggestedPrograms;
|
||||||
|
|
||||||
|
warnings = lib.mkIf (config.sane.strictSandboxing == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [
|
||||||
|
"program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false."
|
||||||
|
];
|
||||||
|
|
||||||
system.checks = lib.optionals (p.enabled && p.sandbox.method != null && p.package != null) [
|
system.checks = lib.optionals (p.enabled && p.sandbox.method != null && p.package != null) [
|
||||||
p.package.passthru.checkSandboxed
|
p.package.passthru.checkSandboxed
|
||||||
];
|
];
|
||||||
|
@ -512,8 +516,8 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sane.strictSandboxing = mkOption {
|
sane.strictSandboxing = mkOption {
|
||||||
type = types.bool;
|
type = types.enum [ false "warn" "assert" ];
|
||||||
default = false;
|
default = "warn";
|
||||||
description = ''
|
description = ''
|
||||||
whether to require that every `sane.program` explicitly specify its sandbox settings.
|
whether to require that every `sane.program` explicitly specify its sandbox settings.
|
||||||
'';
|
'';
|
||||||
|
@ -531,6 +535,7 @@ in
|
||||||
sane.users = f.sane.users;
|
sane.users = f.sane.users;
|
||||||
sops.secrets = f.sops.secrets;
|
sops.secrets = f.sops.secrets;
|
||||||
system.checks = f.system.checks;
|
system.checks = f.system.checks;
|
||||||
|
warnings = f.warnings;
|
||||||
};
|
};
|
||||||
in lib.mkMerge [
|
in lib.mkMerge [
|
||||||
(take (sane-lib.mkTypedMerge take configs))
|
(take (sane-lib.mkTypedMerge take configs))
|
||||||
|
|
Loading…
Reference in New Issue
Block a user