modules/programs: sandbox: add whitelistWayland
option
This commit is contained in:
parent
371af5939e
commit
73afceb8c6
|
@ -71,8 +71,9 @@ let
|
|||
(p: path-lib.concat [ xdgRuntimeDir p ])
|
||||
(
|
||||
sandbox.extraRuntimePaths
|
||||
++ lib.optionals sandbox.whitelistDbus [ "bus" ]
|
||||
++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ] # also pipewire-0-manager, unknown purpose
|
||||
++ lib.optionals sandbox.whitelistDbus [ "bus" ]
|
||||
++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ] # app can still communicate with wayland server w/o this, if it has net access
|
||||
)
|
||||
);
|
||||
allowedPaths = [
|
||||
|
@ -385,6 +386,14 @@ let
|
|||
allow the program full access to whichever directory it was launched from.
|
||||
'';
|
||||
};
|
||||
sandbox.whitelistWayland = mkOption {
|
||||
type = types.bool;
|
||||
default = true; #< TODO: harden default!
|
||||
description = ''
|
||||
allow sandbox to communicate with the wayland server.
|
||||
note that this does NOT permit access to compositor admin tooling like `swaymsg`.
|
||||
'';
|
||||
};
|
||||
|
||||
sandbox.extraPaths = mkOption {
|
||||
type = types.listOf types.str;
|
||||
|
|
Loading…
Reference in New Issue
Block a user