programs: don't include dbus in the sandbox by default

hosts/common/programs/assorted.nix

@@ -224,6 +224,7 @@ in
     blanket.sandbox.method = "bwrap";
     blanket.sandbox.wrapperType = "wrappedDerivation";
     blanket.sandbox.whitelistAudio = true;
+    # blanket.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
 
     brightnessctl.sandbox.method = "landlock";  # also bwrap, but landlock is more responsive
     brightnessctl.sandbox.wrapperType = "wrappedDerivation";
@@ -241,6 +242,7 @@ in
     delfin.sandbox.method = "bwrap";
     delfin.sandbox.wrapperType = "wrappedDerivation";
     delfin.sandbox.whitelistAudio = true;
+    # delfin.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
     delfin.sandbox.whitelistDri = true;
     delfin.sandbox.net = "clearnet";
     delfin.persist.byStore.private = [ ".config/delfin" ];
@@ -249,6 +251,7 @@ in
     discord.sandbox.method = "bwrap";
     discord.sandbox.wrapperType = "inplace";  #< /opt-style packaging
     discord.sandbox.whitelistAudio = true;
+    # discord.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
     discord.sandbox.net = "clearnet";
     discord.persist.byStore.private = [ ".config/discord" ];
 

hosts/common/programs/cozy.nix

@@ -5,6 +5,7 @@
     sandbox.method = "bwrap";  # landlock gives: _multiprocessing.SemLock: Permission Denied
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # mpris
     sandbox.extraHomePaths = [
       "Books"
       "Books/servo"

hosts/common/programs/dino.nix

@@ -49,6 +49,7 @@ in
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
 
     persist.byStore.private = [ ".local/share/dino" ];

hosts/common/programs/element-desktop.nix

@@ -11,6 +11,7 @@
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
     packageUnwrapped = pkgs.element-desktop.override {
       # use pre-build electron because otherwise it takes 4 hrs to build from source.

hosts/common/programs/firefox.nix

@@ -237,6 +237,7 @@ in
         sandbox.wrapperType = "inplace";  # probably wrappedDerivation could work too.
         sandbox.net = "all";
         sandbox.whitelistAudio = true;
+        sandbox.whitelistDbus = [ "user" ];  # mpris
         sandbox.extraHomePaths = [
           "dev"  # for developing anything web-related
           "tmp"

hosts/common/programs/fractal.nix

@@ -31,6 +31,7 @@ in
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;  # otherwise video playback buuuuurns CPU
 
     configOption = with lib; mkOption {

hosts/common/programs/g4music.nix

@@ -11,6 +11,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # mpris
     sandbox.extraHomePaths = [
       "Music"
     ];

hosts/common/programs/geary.nix

@@ -22,6 +22,7 @@ in
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
+    sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.extraPaths = [
       # geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
       # TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.

hosts/common/programs/gtkcord4.nix

@@ -35,6 +35,7 @@ in
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
 
     persist.byStore.private = [

hosts/common/programs/handbrake.nix

@@ -3,6 +3,7 @@
   sane.programs.handbrake = {
     sandbox.method = "landlock";  #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.extraHomePaths = [
       "Music"
       "Pictures"  # i have some videos in there too.

hosts/common/programs/kdenlive.nix

@@ -12,6 +12,7 @@
       "tmp"
     ];
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
     packageUnwrapped = pkgs.kdenlive.override {
       ffmpeg-full = pkgs.ffmpeg-full.override {

hosts/common/programs/playerctl.nix

@@ -2,6 +2,9 @@
 {
   sane.programs.playerctl = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";
+    sandbox.whitelistDbus = [ "user" ];  # notifications
+
     services.playerctld = {
       description = "playerctl daemon to keep track of which MPRIS players were recently active";
       documentation = [ "https://github.com/altdesktop/playerctl/issues/161" ];

hosts/common/programs/signal-desktop.nix

@@ -26,6 +26,7 @@ in
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
+    # sandbox.whitelistDbus = [ "user" ];  # TODO: needed?
 
     # creds, media
     persist.byStore.private = [

hosts/common/programs/spot.nix

@@ -5,6 +5,8 @@
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # mpris
+
     secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
     persist.byStore.plaintext = [
       ".cache/spot/img"  # album art

hosts/common/programs/spotify.nix

@@ -4,6 +4,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # nontraditional package structure, where binaries live in /share/spotify
     sandbox.net = "clearnet";
+    sandbox.whitelistDbus = [ "user" ];  # mpris
     sandbox.whitelistAudio = true;
 
     persist.byStore.plaintext = [

hosts/common/programs/tuba.nix

@@ -5,6 +5,7 @@
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # notifications
     suggestedPrograms = [ "gnome-keyring" ];
   };
 }

hosts/common/programs/vlc.nix

@@ -19,6 +19,7 @@ in
     sandbox.net = "clearnet";
     sandbox.autodetectCliPaths = true;
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # mpris
     persist.byStore.private = [
       # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
       # filenames are stored in plaintext (unlike mpv, which i think hashes them)

modules/programs/default.nix

@@ -364,7 +364,7 @@ let
       };
       sandbox.whitelistDbus = mkOption {
         type = types.listOf (types.enum [ "user" "system" ]);
-        default = [ "user" ];  #< TODO: harden default!
+        default = [ ];
         description = ''
           allow sandbox to freely interact with dbus services.
         '';