programs: sandbox: allow all programs to access media
hopefully this is just a stopgap
This commit is contained in:
parent
27b56b1a12
commit
98dfc3aa5a
|
@ -40,12 +40,24 @@ let
|
|||
let
|
||||
makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
|
||||
vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
|
||||
# TODO: restrict access to these media paths a bit more.
|
||||
# maybe mount them user=nobody and restrict based on group?
|
||||
mediaHomePaths = [
|
||||
"Books"
|
||||
"Music"
|
||||
"Pictures"
|
||||
"Videos"
|
||||
"tmp"
|
||||
];
|
||||
mediaRootPaths = [
|
||||
"/mnt/servo-media"
|
||||
];
|
||||
in
|
||||
makeSandboxed {
|
||||
inherit pkgName package;
|
||||
inherit (sandbox) binMap method;
|
||||
vpn = if net == "vpn" then vpn else null;
|
||||
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath;
|
||||
allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ mediaHomePaths;
|
||||
allowedRootPaths = [
|
||||
"/nix/store"
|
||||
"/etc" #< especially for /etc/profiles/per-user/$USER/bin
|
||||
|
@ -58,7 +70,7 @@ let
|
|||
"/run/opengl-driver-32"
|
||||
"/run/user" #< particularly /run/user/$id/wayland-1, pulse, etc.
|
||||
# "/dev/dri" #< fix non-fatal "libEGL warning: wayland-egl: could not open /dev/dri/renderD128" (geary)
|
||||
];
|
||||
] ++ mediaRootPaths;
|
||||
}
|
||||
);
|
||||
pkgSpec = with lib; types.submodule ({ config, name, ... }: {
|
||||
|
|
Loading…
Reference in New Issue
Block a user