From 5f3ec42f5767bf7adf8dba8d581605119b2adbf7 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 16 Feb 2024 04:53:18 +0000
Subject: [PATCH] programs: sandbox lsof with capsh only

can't get it to sandbox any more aggressively with either landlock or
bwrap
---
 hosts/common/programs/assorted.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index ebfc1f281..dfb66e8ff 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -443,6 +443,9 @@ in
     losslesscut-bin.sandbox.whitelistWayland = true;
     losslesscut-bin.sandbox.whitelistX = true;
 
+    lsof.sandbox.method = "capshonly";  # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
+    lsof.sandbox.wrapperType = "wrappedDerivation";
+
     "mate.engrampa".sandbox.method = "bwrap";  # TODO:sandbox: untested
     "mate.engrampa".sandbox.wrapperType = "inplace";
     "mate.engrampa".sandbox.whitelistWayland = true;