modules/programs: add a sane.strictSandboxing option
This commit is contained in:
parent
5ca208d07f
commit
a7d081bfcb
|
@ -334,6 +334,10 @@ let
|
|||
|
||||
configs = lib.mapAttrsToList (name: p: {
|
||||
assertions = [
|
||||
{
|
||||
assertion = !(p.sandbox.enable && p.sandbox.method == null) || !p.enabled || p.package == null || !config.sane.strictSandboxing;
|
||||
message = "program ${name} specified no `sandbox.method`; please configure a method, or set sandbox.enable = false.";
|
||||
}
|
||||
{
|
||||
assertion = (p.net == "clearnet") || p.sandbox.method != null;
|
||||
message = ''program "${name}" requests net "${p.net}", which requires sandboxing, but sandboxing was disabled'';
|
||||
|
@ -448,6 +452,13 @@ in
|
|||
this is mostly an internal implementation detail.
|
||||
'';
|
||||
};
|
||||
sane.strictSandboxing = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
whether to require that every `sane.program` explicitly specify its sandbox settings
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
|
|
Loading…
Reference in New Issue
Block a user