mirrors/nix-darwin
mirrors/nix-darwin
1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2025-03-13 20:30:02 +00:00
Code Activity

lnl: sandbox fetch-nixpkgs-updates service

Browse source
This commit is contained in:
Daiderd Jordan 2019-02-16 17:47:29 +01:00
parent 1e67f6a2bc
commit 1464d9efd3
No known key found for this signature in database
GPG key ID: D02435D05B810C96
2 changed files with 20 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
modules/examples/lnl.nix
View file

@ -60,8 +60,13 @@
services.chunkwm.enable = true;
services.skhd.enable = true;
launchd.user.agents.fetch-nixpkgs = {
command = "${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
security.sandbox.profiles.fetch-nixpkgs-updates.closure = [ pkgs.cacert pkgs.git ];
security.sandbox.profiles.fetch-nixpkgs-updates.writablePaths = [ "/src/nixpkgs" ];
security.sandbox.profiles.fetch-nixpkgs-updates.allowNetworking = true;
launchd.user.agents.fetch-nixpkgs-updates = {
command = "/usr/bin/sandbox-exec -f ${config.security.sandbox.profiles.fetch-nixpkgs-updates.profile} ${pkgs.git}/bin/git -C /src/nixpkgs fetch origin master";
environment.HOME = "";
environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
serviceConfig.KeepAlive = false;
serviceConfig.ProcessType = "Background";

16
modules/security/sandbox/default.nix
View file

@ -61,6 +61,8 @@ let
config = {
allowSystemPaths = mkDefault (config.allowLocalNetworking || config.allowNetworking);
profile = mkOrder 0 ''
(version 1)
(deny default)
@ -97,9 +99,17 @@ let
${concatMapStrings (x: ''(subpath "${x}")'') config.writablePaths})
''}
${optionalString config.allowSystemPaths ''
(allow file-read* process-exec
(subpath "/bin")
(subpath "/usr/bin"))
(allow file-read-metadata
(literal "/")
(literal "/etc")
(literal "/run")
(literal "/tmp")
(literal "/var"))
(allow file-read*
(literal "/private/etc/group")
(literal "/private/etc/hosts")
(literal "/private/etc/passwd")
(literal "/private/var/run/resolv.conf"))
''}
${optionalString config.allowLocalNetworking ''
(allow network* (local ip) (local tcp) (local udp))