modules/programs: sandbox: add whitelistWayland
option
This commit is contained in:
parent
371af5939e
commit
73afceb8c6
|
@ -71,8 +71,9 @@ let
|
||||||
(p: path-lib.concat [ xdgRuntimeDir p ])
|
(p: path-lib.concat [ xdgRuntimeDir p ])
|
||||||
(
|
(
|
||||||
sandbox.extraRuntimePaths
|
sandbox.extraRuntimePaths
|
||||||
++ lib.optionals sandbox.whitelistDbus [ "bus" ]
|
|
||||||
++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ] # also pipewire-0-manager, unknown purpose
|
++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ] # also pipewire-0-manager, unknown purpose
|
||||||
|
++ lib.optionals sandbox.whitelistDbus [ "bus" ]
|
||||||
|
++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ] # app can still communicate with wayland server w/o this, if it has net access
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
allowedPaths = [
|
allowedPaths = [
|
||||||
|
@ -385,6 +386,14 @@ let
|
||||||
allow the program full access to whichever directory it was launched from.
|
allow the program full access to whichever directory it was launched from.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
sandbox.whitelistWayland = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true; #< TODO: harden default!
|
||||||
|
description = ''
|
||||||
|
allow sandbox to communicate with the wayland server.
|
||||||
|
note that this does NOT permit access to compositor admin tooling like `swaymsg`.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
sandbox.extraPaths = mkOption {
|
sandbox.extraPaths = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user