programs: sandbox lsof with capsh only

can't get it to sandbox any more aggressively with either landlock or bwrap
2024-02-16 04:53:18 +00:00 · 2024-02-16 04:53:18 +00:00 · 5f3ec42f57
commit 5f3ec42f57
parent 28aaeb051f
1 changed files with 3 additions and 0 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -443,6 +443,9 @@ in
    losslesscut-bin.sandbox.whitelistWayland = true;
    losslesscut-bin.sandbox.whitelistX = true;

+    lsof.sandbox.method = "capshonly";  # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
+    lsof.sandbox.wrapperType = "wrappedDerivation";
+
    "mate.engrampa".sandbox.method = "bwrap";  # TODO:sandbox: untested
    "mate.engrampa".sandbox.wrapperType = "inplace";
    "mate.engrampa".sandbox.whitelistWayland = true;