programs: allow sane.strictSandboxing = "warn"
This commit is contained in:
parent
bc50a8c489
commit
4d51c34ad2
|
@ -389,7 +389,7 @@ let
|
|||
configs = lib.mapAttrsToList (name: p: {
|
||||
assertions = [
|
||||
{
|
||||
assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || !config.sane.strictSandboxing;
|
||||
assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || config.sane.strictSandboxing != "assert";
|
||||
message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false.";
|
||||
}
|
||||
{
|
||||
|
@ -401,6 +401,10 @@ let
|
|||
message = ''program "${sug}" referenced by "${name}", but not defined'';
|
||||
}) p.suggestedPrograms;
|
||||
|
||||
warnings = lib.mkIf (config.sane.strictSandboxing == "warn" && p.sandbox.enable && p.sandbox.method == null && p.enabled && p.package != null) [
|
||||
"program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false."
|
||||
];
|
||||
|
||||
system.checks = lib.optionals (p.enabled && p.sandbox.method != null && p.package != null) [
|
||||
p.package.passthru.checkSandboxed
|
||||
];
|
||||
|
@ -512,8 +516,8 @@ in
|
|||
'';
|
||||
};
|
||||
sane.strictSandboxing = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
type = types.enum [ false "warn" "assert" ];
|
||||
default = "warn";
|
||||
description = ''
|
||||
whether to require that every `sane.program` explicitly specify its sandbox settings.
|
||||
'';
|
||||
|
@ -531,6 +535,7 @@ in
|
|||
sane.users = f.sane.users;
|
||||
sops.secrets = f.sops.secrets;
|
||||
system.checks = f.system.checks;
|
||||
warnings = f.warnings;
|
||||
};
|
||||
in lib.mkMerge [
|
||||
(take (sane-lib.mkTypedMerge take configs))
|
||||
|
|
Loading…
Reference in New Issue
Block a user