diff options
| author | Daiderd Jordan <daiderd@gmail.com> | 2019-02-16 17:47:29 +0100 |
|---|---|---|
| committer | Daiderd Jordan <daiderd@gmail.com> | 2019-02-16 17:47:29 +0100 |
| commit | 1464d9efd3930dafecb45668e6c58349041ea830 (patch) | |
| tree | fedcf79359fabbfa105d90967e0d68e505d71fd7 /modules/security/sandbox/default.nix | |
| parent | 1e67f6a2bc496cb5014915a71e323603e4b41662 (diff) | |
lnl: sandbox fetch-nixpkgs-updates service
Diffstat (limited to 'modules/security/sandbox/default.nix')
| -rw-r--r-- | modules/security/sandbox/default.nix | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/modules/security/sandbox/default.nix b/modules/security/sandbox/default.nix index 4ad453a..9444b32 100644 --- a/modules/security/sandbox/default.nix +++ b/modules/security/sandbox/default.nix @@ -61,6 +61,8 @@ let config = { + allowSystemPaths = mkDefault (config.allowLocalNetworking || config.allowNetworking); + profile = mkOrder 0 '' (version 1) (deny default) @@ -97,9 +99,17 @@ let ${concatMapStrings (x: ''(subpath "${x}")'') config.writablePaths}) ''} ${optionalString config.allowSystemPaths '' - (allow file-read* process-exec - (subpath "/bin") - (subpath "/usr/bin")) + (allow file-read-metadata + (literal "/") + (literal "/etc") + (literal "/run") + (literal "/tmp") + (literal "/var")) + (allow file-read* + (literal "/private/etc/group") + (literal "/private/etc/hosts") + (literal "/private/etc/passwd") + (literal "/private/var/run/resolv.conf")) ''} ${optionalString config.allowLocalNetworking '' (allow network* (local ip) (local tcp) (local udp)) |