From cc90183ca2e6f3f6b41d425f58d35216d65b5359 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 6 Sep 2024 03:52:36 +0000
Subject: [PATCH] blast-ugjka: sandbox with bunpen

---
 hosts/common/programs/blast-ugjka/default.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hosts/common/programs/blast-ugjka/default.nix b/hosts/common/programs/blast-ugjka/default.nix
index 19b036920..36c0693ac 100644
--- a/hosts/common/programs/blast-ugjka/default.nix
+++ b/hosts/common/programs/blast-ugjka/default.nix
@@ -24,7 +24,7 @@ let
 in
 {
   sane.programs.blast-ugjka = {
-    sandbox.method = "bwrap";
+    sandbox.method = "bunpen";
     sandbox.whitelistAudio = true;
     sandbox.net = "clearnet";
   };
@@ -36,12 +36,13 @@ in
       pkgs = [ "blast-ugjka" ];
       srcRoot = ./.;
     };
-    sandbox.method = "bwrap";
+    sandbox.method = "bunpen";
     sandbox.whitelistAudio = true;
     sandbox.net = "clearnet";
     #v  else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?)
     #v  might be possible to remove this, but kinda hard to see a clean way.
     sandbox.isolatePids = false;
+    sandbox.extraPaths = [ "/proc" ];  #< for isolatePids
     suggestedPrograms = [ "blast-ugjka" "sane-die-with-parent" ];
   };