Some way to achieve opt-out (as opposed to opt-in) app sandboxing

Recently I was looking at this thread, which has a lot of sandboxing approaches, both in general, as well as for NixOS. There’s also

  • programs.firejail.wrappedBinaries
  • nixpak
  • and it wouldn’t be particularly hard to write my own nix function which takes in a nix package and returns a sandboxed version.

However, all those approaches are opt-in, which is not the best security practice. I would probably forget to specify for some service and leave it with the unsandboxed default. Or, I’d forget to enter a sandbox before opening a directory with .envrc and direnv will add a bunch of unsandboxed things to the path.

I’m looking for some way to achieve a sandbox-by-default in NixOS, where I’d explicitly specify when some app actually needs full permissions.

In particular, I’d like things added to $PATH, or things run by services/modules to be sandboxed. However, if a package foo has as a dependency and executes ${}/bin/bar, should be in the store unsandbox, and will run in foo’s sandbox.