programs: sandbox sane-shutdown, sane-reboot
This commit is contained in:
parent
58db553c84
commit
8beac8df2f
|
@ -121,12 +121,35 @@ in
|
|||
# extraPaths = [ "/boot" ];
|
||||
# };
|
||||
|
||||
# it's just a thin wrapper around rsync, which is already sandboxed
|
||||
"sane-scripts.rcp".sandbox.enable = false;
|
||||
# but make sure rsync is always on PATH, so that we actually do get sandboxing :)
|
||||
"sane-scripts.rcp".suggestedPrograms = [ "rsync" ];
|
||||
|
||||
"sane-scripts.reboot".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraPaths = [
|
||||
"/run/dbus"
|
||||
"/run/systemd"
|
||||
];
|
||||
};
|
||||
|
||||
"sane-scripts.reclaim-disk-space".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraPaths = [ "/nix/var/nix" ];
|
||||
};
|
||||
|
||||
"sane-scripts.shutdown".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraPaths = [
|
||||
"/run/dbus"
|
||||
"/run/systemd"
|
||||
];
|
||||
};
|
||||
|
||||
# if `tee` isn't trustworthy we have bigger problems
|
||||
"sane-scripts.sudo-redirect".sandbox.enable = false;
|
||||
|
||||
|
|
|
@ -130,7 +130,7 @@ let
|
|||
reboot = static-nix-shell.mkBash {
|
||||
pname = "sane-reboot";
|
||||
src = ./src;
|
||||
pkgs = [ "systemd" ];
|
||||
pkgs = [ "nettools" "systemd" ];
|
||||
};
|
||||
reclaim-boot-space = static-nix-shell.mkPython3Bin {
|
||||
pname = "sane-reclaim-boot-space";
|
||||
|
@ -159,7 +159,7 @@ let
|
|||
shutdown = static-nix-shell.mkBash {
|
||||
pname = "sane-shutdown";
|
||||
src = ./src;
|
||||
pkgs = [ "inetutils" "systemd" ];
|
||||
pkgs = [ "nettools" "systemd" ];
|
||||
};
|
||||
stop-all-servo = static-nix-shell.mkBash {
|
||||
pname = "sane-stop-all-servo";
|
||||
|
|
|
@ -1,11 +1,14 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p systemd
|
||||
#!nix-shell -i bash -p nettools -p systemd
|
||||
|
||||
target="$1"
|
||||
shift
|
||||
|
||||
host="$(hostname)"
|
||||
if [ "$host" = "$target" ]
|
||||
then
|
||||
sudo reboot now
|
||||
# N.B.: anything other than just `reboot` with no args requires `sudo` privilegs (to write to /run/systemd/)
|
||||
reboot "$@"
|
||||
else
|
||||
echo "WRONG MACHINE. you're on $host."
|
||||
exit 1
|
||||
|
|
|
@ -1,11 +1,13 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p inetutils -p systemd
|
||||
#!nix-shell -i bash -p nettools -p systemd
|
||||
|
||||
target="$1"
|
||||
shift
|
||||
|
||||
host="$(hostname)"
|
||||
if [ "$host" = "$target" ]
|
||||
then
|
||||
sudo shutdown now
|
||||
shutdown now "$@"
|
||||
else
|
||||
echo "WRONG MACHINE. you're on $host."
|
||||
exit 1
|
||||
|
|
Loading…
Reference in New Issue
Block a user