programs: waylock: *partially* sandbox with capsh
This commit is contained in:
parent
9faf1bb52c
commit
f11e443678
|
@ -5,6 +5,11 @@ let
|
|||
cfg = config.sane.programs.waylock;
|
||||
in
|
||||
{
|
||||
sane.programs.waylock = {
|
||||
sandbox.method = "capshonly"; # not even landlock with full access to / works.
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
};
|
||||
|
||||
# without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)
|
||||
security.pam.services = lib.mkIf cfg.enabled {
|
||||
waylock.unixAuth = true;
|
||||
|
|
Loading…
Reference in New Issue
Block a user