Y
Hacker News
new
|
ask
|
show
|
jobs
by
CyberShadow
83 days ago
If you grant access to the Nix daemon socket but not writing outside the current directory, that's an effective sandbox. It allows evaluating derivations but not actually installing them.