From 1464d9efd3930dafecb45668e6c58349041ea830 Mon Sep 17 00:00:00 2001
From: Daiderd Jordan <daiderd@gmail.com>
Date: Sat, 16 Feb 2019 17:47:29 +0100
Subject: lnl: sandbox fetch-nixpkgs-updates service

---
 modules/security/sandbox/default.nix | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

(limited to 'modules/security')

diff --git a/modules/security/sandbox/default.nix b/modules/security/sandbox/default.nix
index 4ad453a..9444b32 100644
--- a/modules/security/sandbox/default.nix
+++ b/modules/security/sandbox/default.nix
@@ -61,6 +61,8 @@ let
 
       config = {
 
+        allowSystemPaths = mkDefault (config.allowLocalNetworking || config.allowNetworking);
+
         profile = mkOrder 0 ''
           (version 1)
           (deny default)
@@ -97,9 +99,17 @@ let
                  ${concatMapStrings (x: ''(subpath "${x}")'') config.writablePaths})
           ''}
           ${optionalString config.allowSystemPaths ''
-          (allow file-read* process-exec
-                 (subpath "/bin")
-                 (subpath "/usr/bin"))
+          (allow file-read-metadata
+                 (literal "/")
+                 (literal "/etc")
+                 (literal "/run")
+                 (literal "/tmp")
+                 (literal "/var"))
+          (allow file-read*
+                 (literal "/private/etc/group")
+                 (literal "/private/etc/hosts")
+                 (literal "/private/etc/passwd")
+                 (literal "/private/var/run/resolv.conf"))
           ''}
           ${optionalString config.allowLocalNetworking ''
           (allow network* (local ip) (local tcp) (local udp))
-- 
cgit v1.2.3