programs: nvme-cli: sandbox

2024-02-17 14:40:29 +00:00 · 2024-02-17 14:40:29 +00:00 · 7d1fd2f30a
commit 7d1fd2f30a
parent 472987f164
1 changed files with 12 additions and 0 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -651,6 +651,18 @@ in
      "/proc"
    ];

+    # `nvme list` only shows results when run as root.
+    nvme-cli.sandbox.method = "landlock";
+    nvme-cli.sandbox.wrapperType = "wrappedDerivation";
+    nvme-cli.sandbox.extraPaths = [
+      "/sys/devices"
+      "/sys/class/nvme"
+      "/sys/class/nvme-subsystem"
+      "/sys/class/nvme-generic"
+      "/dev"
+    ];
+    nvme-cli.sandbox.capabilities = [ "sys_rawio" ];
+
    # settings (electron app)
    obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];