programs: waylock: *partially* sandbox with capsh

2024-02-14 05:46:28 +00:00 · 2024-02-14 05:46:28 +00:00 · f11e443678
commit f11e443678
parent 9faf1bb52c
1 changed files with 5 additions and 0 deletions
--- a/hosts/common/programs/waylock.nix
+++ b/hosts/common/programs/waylock.nix
@ -5,6 +5,11 @@ let
  cfg = config.sane.programs.waylock;
 in
 {
+  sane.programs.waylock = {
+    sandbox.method = "capshonly";  # not even landlock with full access to / works.
+    sandbox.wrapperType = "wrappedDerivation";
+  };
+
  # without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)
  security.pam.services = lib.mkIf cfg.enabled {
    waylock.unixAuth = true;