programs: sane-vpn: sandbox

2024-02-20 23:05:24 +00:00 · 2024-02-20 23:05:24 +00:00 · be2098c18a
commit be2098c18a
parent ee7d99289a
1 changed files with 9 additions and 2 deletions
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@ -123,9 +123,9 @@ in
    };

    "sane-scripts.ip-check".sandbox = {
-      method = "bwrap";
+      method = "landlock";
      wrapperType = "wrappedDerivation";
-      net = "clearnet";
+      net = "all";
    };

    "sane-scripts.reclaim-boot-space".sandbox = {
@ -191,6 +191,13 @@ in
      )
      {}
      (builtins.attrNames config.sane.vpn);
+    "sane-scripts.vpn".sandbox = {
+      method = "landlock";  #< bwrap can't handle `ip link` stuff even with cap_net_admin
+      wrapperType = "wrappedDerivation";
+      net = "all";
+      capabilities = [ "net_admin" ];
+      extraHomePaths = [ ".config/sane-vpn" ];
+    };

    "sane-scripts.which".sandbox = {
      method = "bwrap";