2 files changed, 20 insertions, 5 deletions

diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix
index ba80e68..ebfbafb 100644
--- a/modules/examples/lnl.nix
+++ b/modules/examples/lnl.nix
@@ -60,8 +60,13 @@
   services.chunkwm.enable = true;
   services.skhd.enable = true;
 
-  launchd.user.agents.fetch-nixpkgs = {
-    command = "${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
+  security.sandbox.profiles.fetch-nixpkgs-updates.closure = [ pkgs.cacert pkgs.git ];
+  security.sandbox.profiles.fetch-nixpkgs-updates.writablePaths = [ "/src/nixpkgs" ];
+  security.sandbox.profiles.fetch-nixpkgs-updates.allowNetworking = true;
+
+  launchd.user.agents.fetch-nixpkgs-updates = {
+    command = "/usr/bin/sandbox-exec -f ${config.security.sandbox.profiles.fetch-nixpkgs-updates.profile} ${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
+    environment.HOME = "";
     environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
     serviceConfig.KeepAlive = false;
     serviceConfig.ProcessType = "Background";
diff --git a/modules/security/sandbox/default.nix b/modules/security/sandbox/default.nix
index 4ad453a..9444b32 100644
--- a/modules/security/sandbox/default.nix
+++ b/modules/security/sandbox/default.nix
@@ -61,6 +61,8 @@ let
 
       config = {
 
+        allowSystemPaths = mkDefault (config.allowLocalNetworking || config.allowNetworking);
+
         profile = mkOrder 0 ''
           (version 1)
           (deny default)
@@ -97,9 +99,17 @@ let
                  ${concatMapStrings (x: ''(subpath "${x}")'') config.writablePaths})
           ''}
           ${optionalString config.allowSystemPaths ''
-          (allow file-read* process-exec
-                 (subpath "/bin")
-                 (subpath "/usr/bin"))
+          (allow file-read-metadata
+                 (literal "/")
+                 (literal "/etc")
+                 (literal "/run")
+                 (literal "/tmp")
+                 (literal "/var"))
+          (allow file-read*
+                 (literal "/private/etc/group")
+                 (literal "/private/etc/hosts")
+                 (literal "/private/etc/passwd")
+                 (literal "/private/var/run/resolv.conf"))
           ''}
           ${optionalString config.allowLocalNetworking ''
           (allow network* (local ip) (local tcp) (local udp))