diff --git a/modules/examples/lnl.nix b/modules/examples/lnl.nix index ebfbafb2..cafb675b 100644 --- a/modules/examples/lnl.nix +++ b/modules/examples/lnl.nix @@ -90,7 +90,7 @@ nix.package = pkgs.nixUnstable; nix.useSandbox = true; - nix.sandboxPaths = [ "/System/Library/Frameworks" "/System/Library/PrivateFrameworks" "/usr/lib" "/private/tmp" "/private/var/tmp" "/dev" "/bin/sh" "/usr/bin/env" ]; + nix.sandboxPaths = [ "/System/Library/Frameworks" "/System/Library/PrivateFrameworks" "/usr/lib" "/private/tmp" "/private/var/tmp" "/usr/bin/env" ]; programs.nix-index.enable = true; @@ -120,6 +120,13 @@ set -g status-right '#[fg=white]#(id -un)@#(hostname) #(cat /run/current-system/darwin-version)' ''; + programs.tmux.defaultCommand = "IN_NIX_SANDBOX=1 /usr/bin/sandbox-exec -f /etc/nix/sandbox.sb ${config.environment.loginShell}"; + environment.etc."nix/sandbox.sb".text = '' + (version 1) + (allow default) + (deny file-write* (subpath "/nix")) + ''; + # programs.vim.enable = true; # programs.vim.enableSensible = true; programs.vim.package = pkgs.vim_configurable.customize { @@ -181,6 +188,10 @@ PS1='%F{red}%B%(?..%? )%b%f%# ' RPS1='$(_prompt_nix)%F{green}%~%f' + + if [ -z "$IN_NIX_SANDBOX" ]; then + PS1+='%F{red}[no-sandbox]%f ' + fi ''; programs.zsh.loginShellInit = '' @@ -323,6 +334,10 @@ host=$(hostname -s | awk -F'-' '{print tolower($NF)}') exec tmux new-session -A -s "$host" "$@" } + + no-sandbox() { + tmux split-window -c '#{pane_current_path}' -p 25 $SHELL -l + } ''; programs.zsh.interactiveShellInit = '' diff --git a/modules/security/sandbox/default.nix b/modules/security/sandbox/default.nix index 9444b328..bd8050f9 100644 --- a/modules/security/sandbox/default.nix +++ b/modules/security/sandbox/default.nix @@ -86,7 +86,6 @@ let (allow process-fork) (allow signal (target same-sandbox)) - (deny file-write* (subpath "/nix/store")) (allow file-read* process-exec $storePaths)