lnl: sandbox fetch-nixpkgs-updates service

author: Daiderd Jordan <daiderd@gmail.com> 2019-02-16 17:47:29 +0100
committer: Daiderd Jordan <daiderd@gmail.com> 2019-02-16 17:47:29 +0100
commit: 1464d9efd3930dafecb45668e6c58349041ea830 (patch)
tree: fedcf79359fabbfa105d90967e0d68e505d71fd7 /modules/security
parent: 1e67f6a2bc496cb5014915a71e323603e4b41662 (diff)
1 files changed, 13 insertions, 3 deletions
diff --git a/modules/security/sandbox/default.nix b/modules/security/sandbox/default.nix
index 4ad453a..9444b32 100644
--- a/modules/security/sandbox/default.nix
+++ b/modules/security/sandbox/default.nix
@@ -61,6 +61,8 @@ let
 
       config = {
 
+        allowSystemPaths = mkDefault (config.allowLocalNetworking || config.allowNetworking);
+
         profile = mkOrder 0 ''
           (version 1)
           (deny default)
@@ -97,9 +99,17 @@ let
                  ${concatMapStrings (x: ''(subpath "${x}")'') config.writablePaths})
           ''}
           ${optionalString config.allowSystemPaths ''
-          (allow file-read* process-exec
-                 (subpath "/bin")
-                 (subpath "/usr/bin"))
+          (allow file-read-metadata
+                 (literal "/")
+                 (literal "/etc")
+                 (literal "/run")
+                 (literal "/tmp")
+                 (literal "/var"))
+          (allow file-read*
+                 (literal "/private/etc/group")
+                 (literal "/private/etc/hosts")
+                 (literal "/private/etc/passwd")
+                 (literal "/private/var/run/resolv.conf"))
           ''}
           ${optionalString config.allowLocalNetworking ''
           (allow network* (local ip) (local tcp) (local udp))
author	Daiderd Jordan <daiderd@gmail.com>	2019-02-16 17:47:29 +0100
committer	Daiderd Jordan <daiderd@gmail.com>	2019-02-16 17:47:29 +0100
commit	1464d9efd3930dafecb45668e6c58349041ea830 (patch)
tree	fedcf79359fabbfa105d90967e0d68e505d71fd7 /modules/security
parent	1e67f6a2bc496cb5014915a71e323603e4b41662 (diff)