From 6aaa724abf8c94a8711aaef4fcb50c118dfc0e4f Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 16 Feb 2024 14:50:50 +0000
Subject: [PATCH] programs: strings: sandbox

---
 hosts/common/programs/strings.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hosts/common/programs/strings.nix b/hosts/common/programs/strings.nix
index 4645e82e..332a5f64 100644
--- a/hosts/common/programs/strings.nix
+++ b/hosts/common/programs/strings.nix
@@ -1,6 +1,12 @@
 { pkgs, ... }:
 {
   sane.programs.strings = {
+    # binutils-unwrapped is like 80 MiB, just for this one binary;
+    # dynamic linking means copying the binary doesn't reduce the closure much at all compared to just symlinking it.
     packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.binutils-unwrapped "bin/strings";
+
+    sandbox.method = "landlock";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.autodetectCliPaths = "existing";
   };
 }