programs: sandboxing: restrict /run/user dir to just dbus/pipewire/pulse/wayland, by default

2024-02-13 10:28:30 +00:00 · 2024-02-13 10:28:30 +00:00 · 126f3e4922
commit 126f3e4922
parent 73afceb8c6
2 changed files with 4 additions and 3 deletions
--- a/hosts/common/programs/mpv.nix
+++ b/hosts/common/programs/mpv.nix
@ -65,9 +65,10 @@ in
    sandbox.method = "bwrap";
    sandbox.autodetectCliPaths = true;
    sandbox.net = "all";
-    sandbox.whitelistDri = true;  #< mpv has excellent fallbacks to non-DRI, but DRI offers a good 30%-50% reduced CPU
-    sandbox.whitelistDbus = true;  #< mpris
    sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = true;  #< mpris
+    sandbox.whitelistDri = true;  #< mpv has excellent fallbacks to non-DRI, but DRI offers a good 30%-50% reduced CPU
+    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      ".config/mpv"  #< else mpris plugin crashes on launch
      # it's common for album (or audiobook, podcast) images/lyrics/metadata to live adjacent to the primary file.
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -411,7 +411,7 @@ let
      };
      sandbox.extraRuntimePaths = mkOption {
        type = types.listOf types.str;
-        default = [ "/" ];  #< TODO: reduce to just what's needed
+        default = [ ];
        description = ''
          additional $XDG_RUNTIME_DIR-relative paths to bind into the sandbox.
          e.g. `[ "bus" "wayland-1" ]` to bind the dbus and wayland sockets.