From 785b3756719de8f45a3341bd23f27c55141b5271 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 17 Feb 2024 15:36:13 +0000
Subject: [PATCH] programs: smartmontools (smartctl): sandbox

---
 hosts/common/programs/assorted.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index c515fbfd1..ab0c08b70 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -768,6 +768,12 @@ in
     # printer/filament settings
     slic3r.persist.byStore.plaintext = [ ".Slic3r" ];
 
+    # use like `sudo smartctl /dev/sda -a`
+    smartmontools.sandbox.method = "landlock";
+    smartmontools.sandbox.wrapperType = "wrappedDerivation";
+    smartmontools.sandbox.autodetectCliPaths = "existing";
+    smartmontools.sandbox.capabilities = [ "sys_rawio" ];
+
     sops.sandbox.method = "bwrap";  # TODO:sandbox: untested
     sops.sandbox.wrapperType = "wrappedDerivation";
     sops.sandbox.extraHomePaths = [