modules/programs: rename "keepUsers" -> "tryKeepUsers"

2024-09-06 06:32:49 +00:00
parent 9bd5a7e4e4
commit 8255e419be
3 changed files with 7 additions and 6 deletions
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@@ -20,7 +20,7 @@ lib.mkMerge [
        # "sys_admin"
        "sys_tty_config"
      ];
-      sandbox.keepUsers = true;
+      sandbox.tryKeepUsers = true;
      sandbox.extraPaths = [
        "/dev"  #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear
        # "/dev/dri"
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -77,7 +77,7 @@ let
            capabilities
            extraConfig
            keepPids
-            keepUsers
+            tryKeepUsers
            method
            whitelistPwd
          ;
@@ -370,7 +370,7 @@ let
          this is usually wanted above just `keepPids`: it's rare to want to keep your pidspace but not access /proc.
        '';
      };
-      sandbox.keepUsers = mkOption {
+      sandbox.tryKeepUsers = mkOption {
        type = types.bool;
        default = false;
        description = ''
--- a/modules/programs/make-sandbox-args.nix
+++ b/modules/programs/make-sandbox-args.nix
@@ -8,7 +8,7 @@
  capabilities ? [],
  dns ? null,
  keepPids ? false,
-  keepUsers ? false,
+  tryKeepUsers ? false,
  netDev ? null,
  netGateway ? null,
  whitelistPwd ? false,
@@ -20,7 +20,7 @@ let
    capability = cap: [ "--sanebox-cap" cap ];
    dns = addr: [ "--sanebox-dns" addr ];
    keepPids = [ "--sanebox-keep-namespace" "pid" ];
-    keepUsers = [ "--sanebox-keep-namespace" "user" ];
+    tryKeepUsers = [ "--sanebox-keep-namespace" "user" ];
    method = method: [ "--sanebox-method" method ];
    netDev = netDev: [ "--sanebox-net-dev" netDev ];
    netGateway = netGateway: [ "--sanebox-net-gateway" netGateway ];
@@ -54,6 +54,7 @@ let
    path = p: [ "--bunpen-path" p ];
    path-home = p: [ "--bunpen-home-path" p ];
    path-run = p: [ "--bunpen-run-path" p ];
+    tryKeepUsers = [ "--bunpen-try-keep-users" ];
    whitelistPwd = [ "--bunpen-path" "." ];
  };
  gen = if method == "bunpen" then
@@ -79,6 +80,6 @@ in
  ++ capabilityFlags
  ++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths)
  ++ lib.optionals keepPids gen.keepPids
-  ++ lib.optionals keepUsers gen.keepUsers
+  ++ lib.optionals tryKeepUsers gen.tryKeepUsers
  ++ lib.optionals whitelistPwd gen.whitelistPwd
  ++ extraConfig