27 lines
800 B
Nix
27 lines
800 B
Nix
{ ... }:
|
|
{
|
|
sane.programs.gocryptfs = {
|
|
sandbox.autodetectCliPaths = "existing";
|
|
sandbox.capabilities = [
|
|
# CAP_SYS_ADMIN is only required if directly invoking gocryptfs.
|
|
# it's not *necessarily* required if using a mount helper like `mount.fuse3-sane`
|
|
# however if using a namespace-based sandbox method (bunpen, bwrap), and you wish
|
|
# to preserve user mappings, it's still required.
|
|
"sys_admin"
|
|
"chown"
|
|
"dac_override"
|
|
"dac_read_search"
|
|
"fowner"
|
|
"lease"
|
|
"mknod"
|
|
"setgid"
|
|
"setuid"
|
|
];
|
|
sandbox.tryKeepUsers = true;
|
|
sandbox.keepPids = true;
|
|
suggestedPrograms = [
|
|
"util-linux" #< gocryptfs complains that it can't exec `logger`, otherwise. TODO(2024-09-09): is this still needed?
|
|
];
|
|
};
|
|
}
|