colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: bind "safe"-ish /de items

Browse Source
This commit is contained in:
Colin
2024-08-29 20:13:37 +00:00
parent 9c69666646
commit f26f13ddf3
1 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
modules/programs/make-sandbox-args.nix
View File

@@ -31,7 +31,23 @@ let
}; };
bunpenGenerators = { bunpenGenerators = {
autodetectCliPaths = style: [ "--bunpen-autodetect" style ]; autodetectCliPaths = style: [ "--bunpen-autodetect" style ];
method = m: assert m == "bunpen"; []; method = m: assert m == "bunpen";
# smuggle in some defaults
(lib.concatMap (devnode: [ "--bunpen-path" "/dev/${devnode}" ]) [
# bwrap *binds* these when you ask for `--dev /dev`.
"full"
"null"
"random"
"tty"
"urandom"
"zero"
# these are symlinks to /proc/self/fd/...
"fd"
"stdin"
"stdout"
"stderr"
# bwrap also does some stuff for /dev/{console,core,ptmx,pts,shm}, i don't need those (yet?)
]);
netDev = n: assert n == "all"; [ "--bunpen-keep-net" ]; netDev = n: assert n == "all"; [ "--bunpen-keep-net" ];
path = p: [ "--bunpen-path" p ]; path = p: [ "--bunpen-path" p ];
path-home = p: [ "--bunpen-home-path" p ]; path-home = p: [ "--bunpen-home-path" p ];