sane-reclaim-disk-space: fix capability sandboxing

2025-01-22 10:50:49 +00:00
parent 83477b9e70
commit c1565efb2d
1 changed files with 4 additions and 1 deletions
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -140,7 +140,10 @@ in
    "sane-scripts.reclaim-disk-space".sandbox = {
      method = "bunpen";
      extraPaths = [ "/nix/var/nix" ];
-      capabilities = [ "sys_admin" ];  # for it to remount /nix/store
+      capabilities = [
        "dac_override"  # some packages have files which aren't `w`
        "sys_admin"  # for it to remount /nix/store
      ];
      tryKeepUsers = true;
    };