programs: waylock: *partially* sandbox with capsh
This commit is contained in:
parent
9faf1bb52c
commit
f11e443678
|
@ -5,6 +5,11 @@ let
|
||||||
cfg = config.sane.programs.waylock;
|
cfg = config.sane.programs.waylock;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
sane.programs.waylock = {
|
||||||
|
sandbox.method = "capshonly"; # not even landlock with full access to / works.
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
};
|
||||||
|
|
||||||
# without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)
|
# without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)
|
||||||
security.pam.services = lib.mkIf cfg.enabled {
|
security.pam.services = lib.mkIf cfg.enabled {
|
||||||
waylock.unixAuth = true;
|
waylock.unixAuth = true;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user