sanebox: tighter dependency handling, to not rely on @BACKEND_FALLBACK@
This commit is contained in:
parent
b035d312aa
commit
73f5c9608e
|
@ -622,6 +622,7 @@ in
|
||||||
|
|
||||||
libcamera = {};
|
libcamera = {};
|
||||||
|
|
||||||
|
libcap.sandbox.enable = false; #< for `capsh`, which i use as a sandboxer
|
||||||
libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
|
libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
|
||||||
|
|
||||||
libnotify.sandbox.method = "bwrap";
|
libnotify.sandbox.method = "bwrap";
|
||||||
|
|
|
@ -18,6 +18,8 @@ in
|
||||||
sane.programs.sanebox = {
|
sane.programs.sanebox = {
|
||||||
packageUnwrapped = pkgs.sanebox.override {
|
packageUnwrapped = pkgs.sanebox.override {
|
||||||
bubblewrap = cfg.bubblewrap.package;
|
bubblewrap = cfg.bubblewrap.package;
|
||||||
|
passt = cfg.passt.package;
|
||||||
|
libcap = cfg.libcap.package;
|
||||||
landlock-sandboxer = pkgs.landlock-sandboxer.override {
|
landlock-sandboxer = pkgs.landlock-sandboxer.override {
|
||||||
# not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
|
# not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
|
||||||
# the sandboxer may nag about one or the other wanting to be updated.
|
# the sandboxer may nag about one or the other wanting to be updated.
|
||||||
|
|
|
@ -437,7 +437,7 @@ let
|
||||||
] ++ lib.optionals (config.sandbox.method == "pastaonly") [
|
] ++ lib.optionals (config.sandbox.method == "pastaonly") [
|
||||||
"passt"
|
"passt"
|
||||||
] ++ lib.optionals (config.sandbox.method == "capshonly") [
|
] ++ lib.optionals (config.sandbox.method == "capshonly") [
|
||||||
"libcap_ng"
|
"libcap"
|
||||||
];
|
];
|
||||||
# declare a fs dependency for each secret, but don't specify how to populate it yet.
|
# declare a fs dependency for each secret, but don't specify how to populate it yet.
|
||||||
# can't populate it here because it varies per-user.
|
# can't populate it here because it varies per-user.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user