programs: sandbox sane-scripts.private-do
This commit is contained in:
parent
dd00a2fe6e
commit
6865331b48
|
@ -121,14 +121,21 @@ in
|
||||||
net = "all";
|
net = "all";
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: gocryptfs/fuse requires /run/wrappers/bin/fusermount3 SUID
|
"sane-scripts.private-do".sandbox = {
|
||||||
# "sane-scripts.private-unlock".sandbox = {
|
# because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
|
||||||
# method = "landlock";
|
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
||||||
# wrapperType = "wrappedDerivation";
|
# this actually has an OK side effect, that the mount isn't shared, and so we avoid contention/interleaving that would cause the ending `umount` to fail.
|
||||||
# extraHomePaths = [ "private" ];
|
method = "bwrap";
|
||||||
# # TODO: don't hardcode the username here.
|
wrapperType = "wrappedDerivation";
|
||||||
# extraPaths = [ "/nix/persist/home/colin/private" ];
|
# cap_sys_admin is needed to mount stuff.
|
||||||
# };
|
# ordinarily /run/wrappers/bin/mount would do that via setuid, but sandboxes have no_new_privs by default.
|
||||||
|
capabilities = [ "sys_admin" ];
|
||||||
|
# `sane-private-do` acts as a launcher, so give it access to anything it could possibly need.
|
||||||
|
# (crucially, that includes the backing store)
|
||||||
|
extraPaths = [ "/" ];
|
||||||
|
};
|
||||||
|
"sane-scripts.private-lock".sandbox.enable = false;
|
||||||
|
"sane-scripts.private-unlock".sandbox.enable = false;
|
||||||
|
|
||||||
"sane-scripts.reclaim-boot-space".sandbox = {
|
"sane-scripts.reclaim-boot-space".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
|
|
Loading…
Reference in New Issue
Block a user