gnome-calls: restrict dbus

tested, can receive calls, it rings, notifies on missed call, notification can be clicked to call back, in-call audio works and mute button works (on lappy)
2025-01-26 09:03:32 +00:00
parent 40e2cbec2c
commit 049011e7db
1 changed files with 6 additions and 1 deletions
--- a/hosts/common/programs/calls.nix
+++ b/hosts/common/programs/calls.nix
@@ -105,7 +105,12 @@ in
    sandbox.mesaCacheDir = ".cache/calls/mesa";
    sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # necessary for secrets, at the minimum
+    sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict to a subset of secrets
+    sandbox.whitelistDbus.user.call."org.mobian_project.CallAudio" = "*";
+    sandbox.whitelistDbus.user.call."org.sigxcpu.Feedback" = "*";
+    sandbox.whitelistDbus.user.call."org.gnome.evolution.dataserver.*" = "*";  #< TODO: reduce; only needs address book and maybe sources
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Calls" ];
+    sandbox.whitelistSendNotifications = true;  # for missed calls
    sandbox.whitelistWayland = true;

    persist.byStore.private = [