From 049011e7db17f65bc71cd09767a62f9cd8a07ea3 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 26 Jan 2025 09:03:32 +0000
Subject: [PATCH] gnome-calls: restrict dbus

tested, can receive calls, it rings, notifies on missed call, notification can be clicked to call back, in-call audio works and mute button works (on lappy)
---
 hosts/common/programs/calls.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hosts/common/programs/calls.nix b/hosts/common/programs/calls.nix
index 65fb6af9c..4dab18814 100644
--- a/hosts/common/programs/calls.nix
+++ b/hosts/common/programs/calls.nix
@@ -105,7 +105,12 @@ in
     sandbox.mesaCacheDir = ".cache/calls/mesa";
     sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # necessary for secrets, at the minimum
+    sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< TODO: restrict to a subset of secrets
+    sandbox.whitelistDbus.user.call."org.mobian_project.CallAudio" = "*";
+    sandbox.whitelistDbus.user.call."org.sigxcpu.Feedback" = "*";
+    sandbox.whitelistDbus.user.call."org.gnome.evolution.dataserver.*" = "*";  #< TODO: reduce; only needs address book and maybe sources
+    sandbox.whitelistDbus.user.own = [ "org.gnome.Calls" ];
+    sandbox.whitelistSendNotifications = true;  # for missed calls
     sandbox.whitelistWayland = true;
 
     persist.byStore.private = [