avahi: fix broken sandboxing
This commit is contained in:
@@ -16,6 +16,9 @@
|
|||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.whitelistDbus = [ "system" ];
|
sandbox.whitelistDbus = [ "system" ];
|
||||||
sandbox.net = "all"; #< otherwise it will show 'null' in place of each interface name.
|
sandbox.net = "all"; #< otherwise it will show 'null' in place of each interface name.
|
||||||
|
sandbox.extraPaths = [
|
||||||
|
"/" #< else the daemon exits immediately. TODO: decrease this scope.
|
||||||
|
];
|
||||||
};
|
};
|
||||||
services.avahi = lib.mkIf config.sane.programs.avahi.enabled {
|
services.avahi = lib.mkIf config.sane.programs.avahi.enabled {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|||||||
@@ -67,8 +67,9 @@ let
|
|||||||
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
|
"/run/systemd/resolve" #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
|
||||||
] ++ lib.optionals (sandbox.net == "all" && config.services.avahi.enable) [
|
] ++ lib.optionals (sandbox.net == "all" && config.services.avahi.enable) [
|
||||||
"/var/run/avahi-daemon" #< yes, it has to be "/var/run/...". required for nss (e.g. `getent hosts desko.local`)
|
"/var/run/avahi-daemon" #< yes, it has to be "/var/run/...". required for nss (e.g. `getent hosts desko.local`)
|
||||||
] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
|
] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [
|
||||||
++ sandbox.extraPaths
|
"/var/run/dbus/system_bus_socket" #< XXX: use /var/run/..., for the rare program which requires that (i.e. avahi users)
|
||||||
|
] ++ sandbox.extraPaths
|
||||||
;
|
;
|
||||||
|
|
||||||
sandboxArgs = makeSandboxArgs {
|
sandboxArgs = makeSandboxArgs {
|
||||||
|
|||||||
Reference in New Issue
Block a user