Recently I was looking at this thread, which has a lot of sandboxing approaches, both in general, as well as for NixOS. There’s also
- and it wouldn’t be particularly hard to write my own
nixfunction which takes in a
nixpackage and returns a sandboxed version.
However, all those approaches are opt-in, which is not the best security practice. I would probably forget to specify
services.name.package for some service and leave it with the unsandboxed default. Or, I’d forget to enter a sandbox before opening a directory with
direnv will add a bunch of unsandboxed things to the path.
I’m looking for some way to achieve a sandbox-by-default in NixOS, where I’d explicitly specify when some app actually needs full permissions.
In particular, I’d like things added to
$PATH, or things run by services/modules to be sandboxed. However, if a package
pkgs.bar as a dependency and executes
pkgs.bar should be in the store unsandbox, and will run in