geoclue: dont place unsandboxed files on PATH

2024-07-06 03:05:49 +00:00
parent 3c53bca156
commit bce8a0d91f
2 changed files with 17 additions and 1 deletions
--- a/hosts/common/programs/geoclue2.nix
+++ b/hosts/common/programs/geoclue2.nix
@@ -33,12 +33,25 @@ in
    suggestedPrograms = [
      "avahi"  #< to discover LAN gps devices
      "geoclue-demo-agent"
-      "gps-share"
+      # "gps-share"
      "iio-sensor-proxy"
      "ols"  #< WiFi SSID -> lat/long lookups
      "satellite"  #< graphical view into GPS fix data
      "where-am-i"  #< handy debugging/testing tool
    ];
+
+    # XXX(2024/07/05): no way to plumb my sandboxed geoclue into `services.geoclue2`.
+    # then, the package doesn't get used directly anywhere. but other programs reference `packageUnwrapped`,
+    # so keep that part still.
+    sandbox.enable = false;
+    package = lib.mkForce null;
+
+    # experimental sandboxing (2024/07/05)
+    # sandbox.method = "bwrap";
+    # sandbox.whitelistDbus = [
+    #   "system"
+    # ];
+    # sandbox.net = "all";
  };

  # sane.programs.geoclue2.enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;
--- a/hosts/modules/hal/pine64.nix
+++ b/hosts/modules/hal/pine64.nix
@@ -283,6 +283,9 @@ in
    #   dd if=${pkgs.tow-boot-pinephone}/Tow-Boot.noenv.bin of=$out bs=1024 seek=8 conv=notrunc
    # '';

+    sane.programs.geoclue2.suggestedPrograms = [
+      "gps-share"
+    ];
    sane.programs.nwg-panel.config.torch = "white:flash";
    sane.programs.gps-share.config = {
      device = "/dev/ttyUSB1";