programs: sane-secrets-*: sandbox
This commit is contained in:
@@ -128,6 +128,15 @@ in
|
|||||||
net = "all";
|
net = "all";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# TODO: gocryptfs/fuse requires /run/wrappers/bin/fusermount3 SUID
|
||||||
|
# "sane-scripts.private-unlock".sandbox = {
|
||||||
|
# method = "landlock";
|
||||||
|
# wrapperType = "wrappedDerivation";
|
||||||
|
# extraHomePaths = [ "private" ];
|
||||||
|
# # TODO: don't hardcode the username here.
|
||||||
|
# extraPaths = [ "/nix/persist/home/colin/private" ];
|
||||||
|
# };
|
||||||
|
|
||||||
"sane-scripts.reclaim-boot-space".sandbox = {
|
"sane-scripts.reclaim-boot-space".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
wrapperType = "wrappedDerivation";
|
||||||
@@ -154,6 +163,32 @@ in
|
|||||||
extraPaths = [ "/nix/var/nix" ];
|
extraPaths = [ "/nix/var/nix" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"sane-scripts.secrets-unlock".sandbox = {
|
||||||
|
method = "bwrap";
|
||||||
|
wrapperType = "wrappedDerivation";
|
||||||
|
extraHomePaths = [
|
||||||
|
".ssh/id_ed25519"
|
||||||
|
".ssh/id_ed25519.pub"
|
||||||
|
".config/sops"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# sane-secrets-dump is a thin wrapper around sops + some utilities.
|
||||||
|
# really i should sandbox just the utilities
|
||||||
|
"sane-scripts.secrets-dump".sandbox.enable = false;
|
||||||
|
"sane-scripts.secrets-dump".suggestedPrograms = [
|
||||||
|
"gnugrep"
|
||||||
|
"oath-toolkit"
|
||||||
|
"sops"
|
||||||
|
];
|
||||||
|
# sane-secrets-update-keys is a thin wrapper around sops + some utilities.
|
||||||
|
# really i should sandbox just the utilities
|
||||||
|
"sane-scripts.secrets-update-keys".sandbox.enable = false;
|
||||||
|
"sane-scripts.secrets-update-keys".suggestedPrograms = [
|
||||||
|
"findutils"
|
||||||
|
"sops"
|
||||||
|
];
|
||||||
|
|
||||||
"sane-scripts.shutdown".sandbox = {
|
"sane-scripts.shutdown".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
wrapperType = "wrappedDerivation";
|
||||||
|
Reference in New Issue
Block a user