From f11e4436786052fe6c7b0929f553b8bbb2cd2713 Mon Sep 17 00:00:00 2001 From: Colin Date: Wed, 14 Feb 2024 05:46:28 +0000 Subject: [PATCH] programs: waylock: *partially* sandbox with capsh --- hosts/common/programs/waylock.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/common/programs/waylock.nix b/hosts/common/programs/waylock.nix index 7f397a97..e28d8865 100644 --- a/hosts/common/programs/waylock.nix +++ b/hosts/common/programs/waylock.nix @@ -5,6 +5,11 @@ let cfg = config.sane.programs.waylock; in { + sane.programs.waylock = { + sandbox.method = "capshonly"; # not even landlock with full access to / works. + sandbox.wrapperType = "wrappedDerivation"; + }; + # without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-) security.pam.services = lib.mkIf cfg.enabled { waylock.unixAuth = true;