programs: waylock: *partially* sandbox with capsh

This commit is contained in:
Colin 2024-02-14 05:46:28 +00:00
parent 9faf1bb52c
commit f11e443678

View File

@ -5,6 +5,11 @@ let
cfg = config.sane.programs.waylock;
in
{
sane.programs.waylock = {
sandbox.method = "capshonly"; # not even landlock with full access to / works.
sandbox.wrapperType = "wrappedDerivation";
};
# without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)
security.pam.services = lib.mkIf cfg.enabled {
waylock.unixAuth = true;