diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 7e8dcfd57..c3bb9cfd4 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -69,7 +69,11 @@ let fullRuntimePaths = lib.optionals (userName != null) ( builtins.map (p: path-lib.concat [ xdgRuntimeDir p ]) - sandbox.extraRuntimePaths + ( + sandbox.extraRuntimePaths + ++ lib.optionals sandbox.whitelistDbus [ "bus" ] + ++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ] # also pipewire-0-manager, unknown purpose + ) ); allowedPaths = [ "/nix/store" @@ -331,13 +335,6 @@ let - "existingFileOrParent" => add the file if it exists; if not, add its parent if that exists. useful for programs which create files. ''; }; - sandbox.whitelistPwd = mkOption { - type = types.bool; - default = false; - description = '' - allow the program full access to whichever directory it was launched from. - ''; - }; sandbox.binMap = mkOption { type = types.attrsOf types.str; default = {}; @@ -356,6 +353,20 @@ let e.g. sandbox.capabilities = [ "net_admin" "net_raw" ]; ''; }; + sandbox.whitelistAudio = mkOption { + type = types.bool; + default = true; #< TODO: harden default! + description = '' + allow sandbox to freely interact with pulse/pipewire. + ''; + }; + sandbox.whitelistDbus = mkOption { + type = types.bool; + default = true; #< TODO: harden default! + description = '' + allow sandbox to freely interact with dbus services. + ''; + }; sandbox.whitelistDri = mkOption { type = types.bool; default = false; @@ -367,6 +378,14 @@ let broad and unaudited attack surface. ''; }; + sandbox.whitelistPwd = mkOption { + type = types.bool; + default = false; + description = '' + allow the program full access to whichever directory it was launched from. + ''; + }; + sandbox.extraPaths = mkOption { type = types.listOf types.str; default = [];