From 0a25ef544f3bb2d585c39e73ecf5388b95ad1019 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 27 Jan 2024 12:29:58 +0000
Subject: [PATCH] wike: sandbox with bwrap

---
 hosts/common/programs/wike.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hosts/common/programs/wike.nix b/hosts/common/programs/wike.nix
index eed45ed7..6b924d7b 100644
--- a/hosts/common/programs/wike.nix
+++ b/hosts/common/programs/wike.nix
@@ -1,6 +1,16 @@
 { ... }:
 {
   sane.programs.wike = {
+    sandbox.method = "bwrap";
+    sandbox.extraPaths = [
+      # wike sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
+      # TODO: these could maybe be mounted empty.
+      "/sys/block"
+      "/sys/bus"
+      "/sys/class"
+      "/sys/dev"
+      "/sys/devices"
+    ];
     # wike probably meant to put everything here in a subdir, but didn't.
     persist.byStore.cryptClearOnBoot = [
       ".cache/webkitgtk"