avahi: fix broken sandboxing

2024-07-06 03:08:36 +00:00
parent 0786475c63
commit 6824080f6b
2 changed files with 6 additions and 2 deletions
--- a/hosts/common/programs/avahi.nix
+++ b/hosts/common/programs/avahi.nix
@@ -16,6 +16,9 @@
    sandbox.method = "bwrap";
    sandbox.whitelistDbus = [ "system" ];
    sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
+    sandbox.extraPaths = [
+      "/"  #< else the daemon exits immediately. TODO: decrease this scope.
+    ];
  };
  services.avahi = lib.mkIf config.sane.programs.avahi.enabled {
    enable = true;
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -67,8 +67,9 @@ let
          "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
        ] ++ lib.optionals (sandbox.net == "all" && config.services.avahi.enable) [
          "/var/run/avahi-daemon"  #< yes, it has to be "/var/run/...". required for nss (e.g. `getent hosts desko.local`)
-        ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
-          ++ sandbox.extraPaths
+        ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [
+          "/var/run/dbus/system_bus_socket"  #< XXX: use /var/run/..., for the rare program which requires that (i.e. avahi users)
+        ] ++ sandbox.extraPaths
        ;

        sandboxArgs = makeSandboxArgs {