From 9c523b3ddd71eb1c6ee42cf6b94f8bfca715c6f6 Mon Sep 17 00:00:00 2001 From: Colin Date: Thu, 4 Jul 2024 16:21:30 +0000 Subject: [PATCH] geoclue-demo-agent: sandbox --- hosts/common/programs/geoclue-demo-agent.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/common/programs/geoclue-demo-agent.nix b/hosts/common/programs/geoclue-demo-agent.nix index d24ac28d..dba0b4f3 100644 --- a/hosts/common/programs/geoclue-demo-agent.nix +++ b/hosts/common/programs/geoclue-demo-agent.nix @@ -7,8 +7,15 @@ path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent"; }]; + sandbox.method = "bwrap"; + sandbox.whitelistDbus = [ + "system" + ]; + services.geoclue-agent = { description = "geoclue 'demo' agent"; + # XXX: i don't actually understand how this works: upstream dbus rules would appear to restrict + # the dbus owner to just root/geoclue, but we're neither and this still works (and breaks if i remove the agent service!) command = "geoclue-demo-agent"; partOf = [ "graphical-session" ]; };