From 8a00a83c719fc2c0e3ccb2f20aee15a8d72836ef Mon Sep 17 00:00:00 2001 From: Ophestra Date: Thu, 23 Jan 2025 17:24:42 +0900 Subject: [PATCH] nix: expose syscall filter policy Signed-off-by: Ophestra --- nixos.nix | 3 +++ options.nix | 16 ++++++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/nixos.nix b/nixos.nix index 84e58c7..8706d31 100644 --- a/nixos.nix +++ b/nixos.nix @@ -117,6 +117,9 @@ in dev env ; + syscall = { + inherit (app) devel multiarch bluetooth; + }; map_real_uid = app.mapRealUid; no_new_session = app.tty; filesystem = diff --git a/options.nix b/options.nix index 578c7fd..e2c44cc 100644 --- a/options.nix +++ b/options.nix @@ -141,16 +141,20 @@ in ''; }; - nix = mkEnableOption "nix daemon access within the sandbox"; - userns = mkEnableOption "userns within the sandbox"; - mapRealUid = mkEnableOption "mapping to fortify's real UID within the sandbox"; - dev = mkEnableOption "access to all devices within the sandbox"; - tty = mkEnableOption "allow access to the controlling terminal"; + nix = mkEnableOption "nix daemon"; + userns = mkEnableOption "user namespace"; + mapRealUid = mkEnableOption "mapping to priv-user uid"; + dev = mkEnableOption "access to all devices"; + tty = mkEnableOption "access to the controlling terminal"; - net = mkEnableOption "network access within the sandbox" // { + net = mkEnableOption "network access" // { default = true; }; + devel = mkEnableOption "development kernel APIs"; + multiarch = mkEnableOption "multiarch kernel support"; + bluetooth = mkEnableOption "AF_BLUETOOTH socket operations"; + gpu = mkOption { type = nullOr bool; default = null;