iio-sensor-proxy: sandbox

2024-07-04 19:27:16 +00:00 · 2024-07-04 19:27:16 +00:00 · 828d4fcc9c
commit 828d4fcc9c
parent ca2ac89cec
1 changed files with 8 additions and 0 deletions
--- a/hosts/common/programs/iio-sensor-proxy.nix
+++ b/hosts/common/programs/iio-sensor-proxy.nix
@ -40,6 +40,14 @@ in
      ];
    });
    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;  #< for dbus/polkit policies
+
+    sandbox.method = "bwrap";
+    sandbox.whitelistDbus = [ "system" ];
+    sandbox.extraPaths = [
+      "/run/udev/data"
+      "/sys/bus"
+      "/sys/devices"
+    ];
  };
  services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
  # services.dbus.packages = lib.mkIf cfg.enabled [ cfg.package ];  #< for bus ownership policy