colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: rename "keepUsers" -> "tryKeepUsers"

Browse Source
This commit is contained in:
Colin
2024-09-06 06:32:49 +00:00
parent 9bd5a7e4e4
commit 8255e419be
3 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/common/programs/seatd.nix
View File

@@ -20,7 +20,7 @@ lib.mkMerge [
# "sys_admin" # "sys_admin"
"sys_tty_config" "sys_tty_config"
]; ];
sandbox.keepUsers = true; sandbox.tryKeepUsers = true;
sandbox.extraPaths = [ sandbox.extraPaths = [
"/dev" #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear "/dev" #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear
# "/dev/dri" # "/dev/dri"

4
modules/programs/default.nix
View File

@@ -77,7 +77,7 @@ let
capabilities capabilities
extraConfig extraConfig
keepPids keepPids
keepUsers tryKeepUsers
method method
whitelistPwd whitelistPwd
; ;
@@ -370,7 +370,7 @@ let
this is usually wanted above just `keepPids`: it's rare to want to keep your pidspace but not access /proc. this is usually wanted above just `keepPids`: it's rare to want to keep your pidspace but not access /proc.
''; '';
}; };
sandbox.keepUsers = mkOption { sandbox.tryKeepUsers = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = ''

7
modules/programs/make-sandbox-args.nix
View File

@@ -8,7 +8,7 @@
capabilities ? [], capabilities ? [],
dns ? null, dns ? null,
keepPids ? false, keepPids ? false,
keepUsers ? false, tryKeepUsers ? false,
netDev ? null, netDev ? null,
netGateway ? null, netGateway ? null,
whitelistPwd ? false, whitelistPwd ? false,
@@ -20,7 +20,7 @@ let
capability = cap: [ "--sanebox-cap" cap ]; capability = cap: [ "--sanebox-cap" cap ];
dns = addr: [ "--sanebox-dns" addr ]; dns = addr: [ "--sanebox-dns" addr ];
keepPids = [ "--sanebox-keep-namespace" "pid" ]; keepPids = [ "--sanebox-keep-namespace" "pid" ];
keepUsers = [ "--sanebox-keep-namespace" "user" ]; tryKeepUsers = [ "--sanebox-keep-namespace" "user" ];
method = method: [ "--sanebox-method" method ]; method = method: [ "--sanebox-method" method ];
netDev = netDev: [ "--sanebox-net-dev" netDev ]; netDev = netDev: [ "--sanebox-net-dev" netDev ];
netGateway = netGateway: [ "--sanebox-net-gateway" netGateway ]; netGateway = netGateway: [ "--sanebox-net-gateway" netGateway ];
@@ -54,6 +54,7 @@ let
path = p: [ "--bunpen-path" p ]; path = p: [ "--bunpen-path" p ];
path-home = p: [ "--bunpen-home-path" p ]; path-home = p: [ "--bunpen-home-path" p ];
path-run = p: [ "--bunpen-run-path" p ]; path-run = p: [ "--bunpen-run-path" p ];
tryKeepUsers = [ "--bunpen-try-keep-users" ];
whitelistPwd = [ "--bunpen-path" "." ]; whitelistPwd = [ "--bunpen-path" "." ];
}; };
gen = if method == "bunpen" then gen = if method == "bunpen" then
@@ -79,6 +80,6 @@ in
++ capabilityFlags ++ capabilityFlags
++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths) ++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths)
++ lib.optionals keepPids gen.keepPids ++ lib.optionals keepPids gen.keepPids
++ lib.optionals keepUsers gen.keepUsers ++ lib.optionals tryKeepUsers gen.tryKeepUsers
++ lib.optionals whitelistPwd gen.whitelistPwd ++ lib.optionals whitelistPwd gen.whitelistPwd
++ extraConfig ++ extraConfig