programs: sane-private-init: sandbox

2024-02-25 16:46:10 +00:00 · 2024-02-25 16:46:10 +00:00 · f9888fe8d6
commit f9888fe8d6
parent 036145e6ba
2 changed files with 16 additions and 3 deletions
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@ -130,7 +130,6 @@ in
        ".persist/private"
      ];
    };
-
    "sane-scripts.private-do".sandbox = {
      # because `mount` is a cap_sys_admin syscall, there's no great way to mount stuff dynamically like this.
      # instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
@ -145,6 +144,14 @@ in
      net = "all";
      extraPaths = [ "/" ];
    };
+    "sane-scripts.private-init".sandbox = {
+      method = "bwrap";
+      wrapperType = "wrappedDerivation";
+      capabilities = [ "sys_admin" ];  # it needs to mount the new store
+      extraHomePaths = [
+        ".persist/private"
+      ];
+    };
    "sane-scripts.private-lock".sandbox.enable = false;
    "sane-scripts.private-unlock".sandbox.enable = false;

--- a/pkgs/additional/sane-scripts/src/sane-private-init
+++ b/pkgs/additional/sane-scripts/src/sane-private-init
@ -5,7 +5,13 @@ set -ex

 # configure persistent, encrypted storage that is auto-mounted on login.
 # this is a one-time setup and user should log out/back in after running it.
+p=/nix/persist/private
+
+if ! test -d "$p" || ! test -w "$p"; then
+  echo "you must first create the backing dir, with appropriate permissions:"
+  echo "- sudo mkdir $p"
+  echo "- sudo chown colin:users $p"
+  echo "then re-run this script"
+fi

-p=/nix/persist/home/colin/private
-mkdir -p $p
 gocryptfs -init $p