From 828d4fcc9c6f73c051788be2257ef035ea89a47e Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Thu, 4 Jul 2024 19:27:16 +0000
Subject: [PATCH] iio-sensor-proxy: sandbox

---
 hosts/common/programs/iio-sensor-proxy.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hosts/common/programs/iio-sensor-proxy.nix b/hosts/common/programs/iio-sensor-proxy.nix
index a7c29dfb..c9a36ff8 100644
--- a/hosts/common/programs/iio-sensor-proxy.nix
+++ b/hosts/common/programs/iio-sensor-proxy.nix
@@ -40,6 +40,14 @@ in
       ];
     });
     enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;  #< for dbus/polkit policies
+
+    sandbox.method = "bwrap";
+    sandbox.whitelistDbus = [ "system" ];
+    sandbox.extraPaths = [
+      "/run/udev/data"
+      "/sys/bus"
+      "/sys/devices"
+    ];
   };
   services.udev.packages = lib.mkIf cfg.enabled [ cfg.package ];
   # services.dbus.packages = lib.mkIf cfg.enabled [ cfg.package ];  #< for bus ownership policy