programs: sane-private-init: sandbox
This commit is contained in:
parent
036145e6ba
commit
f9888fe8d6
|
@ -130,7 +130,6 @@ in
|
|||
".persist/private"
|
||||
];
|
||||
};
|
||||
|
||||
"sane-scripts.private-do".sandbox = {
|
||||
# because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
|
||||
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
||||
|
@ -145,6 +144,14 @@ in
|
|||
net = "all";
|
||||
extraPaths = [ "/" ];
|
||||
};
|
||||
"sane-scripts.private-init".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
||||
extraHomePaths = [
|
||||
".persist/private"
|
||||
];
|
||||
};
|
||||
"sane-scripts.private-lock".sandbox.enable = false;
|
||||
"sane-scripts.private-unlock".sandbox.enable = false;
|
||||
|
||||
|
|
|
@ -5,7 +5,13 @@ set -ex
|
|||
|
||||
# configure persistent, encrypted storage that is auto-mounted on login.
|
||||
# this is a one-time setup and user should log out/back in after running it.
|
||||
p=/nix/persist/private
|
||||
|
||||
if ! test -d "$p" || ! test -w "$p"; then
|
||||
echo "you must first create the backing dir, with appropriate permissions:"
|
||||
echo "- sudo mkdir $p"
|
||||
echo "- sudo chown colin:users $p"
|
||||
echo "then re-run this script"
|
||||
fi
|
||||
|
||||
p=/nix/persist/home/colin/private
|
||||
mkdir -p $p
|
||||
gocryptfs -init $p
|
||||
|
|
Loading…
Reference in New Issue
Block a user