programs: jq: add working sandbox criteria, but don't enable yet

i need to handle the extremely common `cat foo | jq .` without adding `.` to the sandbox
2024-02-17 15:36:41 +00:00 · 2024-02-17 15:36:41 +00:00 · a729f91d21
commit a729f91d21
parent a273b559e2
1 changed files with 3 additions and 1 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -582,7 +582,9 @@ in
    iw.sandbox.net = "all";
    iw.sandbox.capabilities = [ "net_admin" ];

-    # jq.sandbox.autodetectCliPaths = true;  # liable to over-detect
+    # jq.sandbox.method = "bwrap";
+    # jq.sandbox.wrapperType = "wrappedDerivation";
+    # jq.sandbox.autodetectCliPaths = true;  # liable to over-detect, but how else to sandbox?

    killall.sandbox.method = "landlock";
    killall.sandbox.wrapperType = "wrappedDerivation";