Recently I was looking at this thread, which has a lot of sandboxing approaches, both in general, as well as for NixOS. There’s also
programs.firejail.wrappedBinaries- nixpak
- and it wouldn’t be particularly hard to write my own
nixfunction which takes in anixpackage and returns a sandboxed version.
However, all those approaches are opt-in, which is not the best security practice. I would probably forget to specify services.name.package for some service and leave it with the unsandboxed default. Or, I’d forget to enter a sandbox before opening a directory with .envrc and direnv will add a bunch of unsandboxed things to the path.
I’m looking for some way to achieve a sandbox-by-default in NixOS, where I’d explicitly specify when some app actually needs full permissions.
In particular, I’d like things added to $PATH, or things run by services/modules to be sandboxed. However, if a package foo has pkgs.bar as a dependency and executes ${pkgs.bar}/bin/bar, pkgs.bar should be in the store unsandbox, and will run in foo’s sandbox.