programs: refactor whitelistDbus

2025-01-06 09:23:06 +00:00
parent 365d9c2457
commit 2a1d6fff08
83 changed files with 171 additions and 151 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -453,7 +453,7 @@ in

    blanket.buildCost = 1;
    blanket.sandbox.whitelistAudio = true;
-    # blanket.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
+    # blanket.sandbox.whitelistDbus.user = true;  #< TODO: reduce  # TODO: untested
    blanket.sandbox.whitelistWayland = true;

    blueberry.sandbox.wrapperType = "inplace";  #< it places binaries in /lib and then /etc/xdg/autostart files refer to the /lib paths, and fail to be patched
@@ -503,7 +503,7 @@ in

    delfin.buildCost = 1;
    delfin.sandbox.whitelistAudio = true;
-    delfin.sandbox.whitelistDbus = [ "user" ];  # else `mpris` plugin crashes the player
+    delfin.sandbox.whitelistDbus.user = true;  #< TODO: reduce  # else `mpris` plugin crashes the player
    delfin.sandbox.whitelistDri = true;
    delfin.sandbox.whitelistWayland = true;
    delfin.sandbox.net = "clearnet";
@@ -655,7 +655,7 @@ in
    gnome-calendar.sandbox.mesaCacheDir = ".cache/gnome-calendar/mesa";  # TODO: is this the correct app-id?
    # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
    gnome-calendar.sandbox.whitelistWayland = true;
-    gnome-calendar.sandbox.whitelistDbus = [ "user" ];
+    gnome-calendar.sandbox.whitelistDbus.user = true;  #< TODO: reduce
    gnome-calendar.suggestedPrograms = [
      "evolution-data-server"  #< to access/persist calendar events
    ];
@@ -663,7 +663,7 @@ in
    # gnome-disks
    # XXX(2024-09-02): fails to show any disks even when run as `BUNPEN_DISABLE=1 sudo -E gnome-disks`.
    gnome-disk-utility.buildCost = 1;
-    gnome-disk-utility.sandbox.whitelistDbus = [ "system" ];
+    gnome-disk-utility.sandbox.whitelistDbus.system = true;
    gnome-disk-utility.sandbox.whitelistWayland = true;
    gnome-disk-utility.sandbox.extraHomePaths = [
      "tmp"
@@ -696,7 +696,7 @@ in
    # seahorse: dump gnome-keyring secrets.
    seahorse.buildCost = 1;
    # N.B. it can lso manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
-    seahorse.sandbox.whitelistDbus = [ "user" ];
+    seahorse.sandbox.whitelistDbus.user = true;  #< TODO: reduce
    seahorse.sandbox.whitelistWayland = true;

    gnome-2048.buildCost = 1;
@@ -706,7 +706,7 @@ in

    gnome-frog.buildCost = 1;
    gnome-frog.sandbox.whitelistWayland = true;
-    gnome-frog.sandbox.whitelistDbus = [ "user" ];
+    gnome-frog.sandbox.whitelistDbus.user = true;  #< TODO: reduce
    gnome-frog.sandbox.extraPaths = [
      # needed when processing screenshots (TODO: can i have it use a custom TMPDIR?)
      "/tmp"
@@ -822,7 +822,7 @@ in
      "/sys/devices"
    ];

-    libnotify.sandbox.whitelistDbus = [ "user" ];  # notify-send
+    libnotify.sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notify-send

    lightning-cli.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.clightning "lightning-cli";
    lightning-cli.sandbox.extraHomePaths = [
@@ -908,7 +908,7 @@ in
    nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];

    networkmanagerapplet.sandbox.whitelistWayland = true;
-    networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
+    networkmanagerapplet.sandbox.whitelistDbus.system = true;

    nil.sandbox.whitelistPwd = true;
    nil.sandbox.keepPids = true;
@@ -1058,7 +1058,7 @@ in
    sane-cast.sandbox.whitelistAudio = true;  #< for sblast audio casting
    sane-cast.suggestedPrograms = [ "go2tv" "sblast" ];

-    sane-color-picker.sandbox.whitelistDbus = [ "user" ];  #< required for eyedropper to work
+    sane-color-picker.sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< required for eyedropper to work
    sane-color-picker.sandbox.whitelistWayland = true;
    sane-color-picker.sandbox.keepPidsAndProc = true;  #< required by wl-clipboard
    sane-color-picker.suggestedPrograms = [
--- a/hosts/common/programs/avahi.nix
+++ b/hosts/common/programs/avahi.nix
@@ -28,7 +28,7 @@ in
        pkgs.makeBinaryWrapper
      ];
    });
-    sandbox.whitelistDbus = [ "system" ];
+    sandbox.whitelistDbus.system = true;
    sandbox.net = "all";  #< otherwise it will show 'null' in place of each interface name.
    # sandbox.extraPaths = [ ];  #< may be missing some paths; only tried service discovery, not service advertisement.
  };
--- a/hosts/common/programs/brightnessctl.nix
+++ b/hosts/common/programs/brightnessctl.nix
@@ -9,7 +9,7 @@ in
      "/sys/class/leds"
      "/sys/devices"
    ];
-    # sandbox.whitelistDbus = [ "system" ];  #< only necessary if not granting udev perms
+    # sandbox.whitelistDbus.system = true;  #< only necessary if not granting udev perms
  };

  services.udev.extraRules = let
--- a/hosts/common/programs/callaudiod.nix
+++ b/hosts/common/programs/callaudiod.nix
@@ -14,7 +14,7 @@
    packageUnwrapped = pkgs.rmDbusServices pkgs.callaudiod;

    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce

    services.callaudiod = {
      description = "callaudiod: dbus service to switch audio profiles and mute microphone";
--- a/hosts/common/programs/calls.nix
+++ b/hosts/common/programs/calls.nix
@@ -105,7 +105,7 @@ in
    sandbox.mesaCacheDir = ".cache/calls/mesa";
    sandbox.net = "vpn.wg-home";  #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it.
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # necessary for secrets, at the minimum
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # necessary for secrets, at the minimum
    sandbox.whitelistWayland = true;

    persist.byStore.private = [
--- a/hosts/common/programs/cozy.nix
+++ b/hosts/common/programs/cozy.nix
@@ -16,7 +16,7 @@
    buildCost = 1;

    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      "Books/Audiobooks"
--- a/hosts/common/programs/dconf.nix
+++ b/hosts/common/programs/dconf.nix
@@ -30,7 +30,7 @@ in
 {
  sane.programs.dconf = {
    packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.dconf;
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    persist.byStore.private = [
      ".config/dconf"
    ];
--- a/hosts/common/programs/dino.nix
+++ b/hosts/common/programs/dino.nix
@@ -64,7 +64,7 @@ in

    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
    sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/discord.nix
+++ b/hosts/common/programs/discord.nix
@@ -11,7 +11,7 @@
    persist.byStore.private = [ ".config/discord" ];
    sandbox.wrapperType = "inplace";  #< package contains broken symlinks that my wrapper can't handle
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # needed for xdg-open
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # needed for xdg-open
    sandbox.whitelistDri = true;  #< required for even basic graphics (e.g. rendering a window)
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
--- a/hosts/common/programs/dissent.nix
+++ b/hosts/common/programs/dissent.nix
@@ -38,7 +38,7 @@ in

    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/eg25-control.nix
+++ b/hosts/common/programs/eg25-control.nix
@@ -17,9 +17,7 @@ in
      # "/var/lib/eg25-control"
    ];
    sandbox.net = "all";  #< for downloading the almanac
-    sandbox.whitelistDbus = [
-      "system"  #< used by `mmcli`
-    ];
+    sandbox.whitelistDbus.system = true;  #< used by `mmcli`

    services.eg25-control-powered = {
      description = "eg25-control-powered: power to the Qualcomm eg25 modem used by PinePhone";
--- a/hosts/common/programs/element-desktop.nix
+++ b/hosts/common/programs/element-desktop.nix
@@ -30,7 +30,7 @@

    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/epiphany.nix
+++ b/hosts/common/programs/epiphany.nix
@@ -11,7 +11,7 @@
    sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< silently fails to start without it.
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< silently fails to start without it.
    # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
    # enabling DRI/DRM (as below) seems to fix that.
    sandbox.whitelistDri = true;
--- a/hosts/common/programs/evolution-data-server.nix
+++ b/hosts/common/programs/evolution-data-server.nix
@@ -96,7 +96,7 @@ in
      "radicale"
    ];

-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.net = "localhost";  #< to reach radicale  (TODO: restrict further)

    persist.byStore.ephemeral = [
--- a/hosts/common/programs/fcitx5.nix
+++ b/hosts/common/programs/fcitx5.nix
@@ -34,7 +34,7 @@
      ];
    };

-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.whitelistWayland = true;  # for `fcitx5-configtool, if nothing else`
    sandbox.extraHomePaths = [
      # ".config/fcitx"
--- a/hosts/common/programs/feedbackd.nix
+++ b/hosts/common/programs/feedbackd.nix
@@ -24,7 +24,7 @@ in
      default = {};
    };

-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.whitelistAudio = true;
    sandbox.extraPaths = [
      "/dev/input/by-path/platform-vibrator-event"
--- a/hosts/common/programs/firefox-xdg-open.nix
+++ b/hosts/common/programs/firefox-xdg-open.nix
@@ -3,7 +3,7 @@
  sane.programs.firefox-xdg-open = {
    packageUnwrapped = pkgs.firefox-extensions.firefox-xdg-open.systemComponent;

-    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for xdg-open/portals

    mime.associations."x-scheme-handler/xdg-open" = "xdg-open.desktop";

--- a/hosts/common/programs/firefox/default.nix
+++ b/hosts/common/programs/firefox/default.nix
@@ -214,7 +214,7 @@ in
    sandbox.net = "all";
    sandbox.whitelistAudio = true;
    sandbox.whitelistAvDev = true;  #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      "dev"  # for developing anything web-related
--- a/hosts/common/programs/flare-signal.nix
+++ b/hosts/common/programs/flare-signal.nix
@@ -80,8 +80,6 @@
    env.FLARE_DATA_PATH = "$HOME/.local/share/flare/data";
    # sandbox.net = "clearnet";
    # sandbox.whitelistWayland = true;
-    # sandbox.whitelistDbus = [
-    #   "user"  # so i can click on links, at least
-    # ];
+    # sandbox.whitelistDbus.user = true;  # so i can click on links, at least (TODO: reduce!)
  };
 }
--- a/hosts/common/programs/foliate.nix
+++ b/hosts/common/programs/foliate.nix
@@ -3,7 +3,7 @@
 {
  sane.programs.foliate = {
    sandbox.net = "clearnet";  #< for dictionary, wikipedia, online book libraries
-    sandbox.whitelistDbus = [ "user" ];  #< when clicking on links
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< when clicking on links
    sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/fractal.nix
+++ b/hosts/common/programs/fractal.nix
@@ -38,7 +38,7 @@ in

    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
    sandbox.whitelistDri = true;  # otherwise video playback buuuuurns CPU
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/g4music.nix
+++ b/hosts/common/programs/g4music.nix
@@ -11,7 +11,7 @@
    buildCost = 1;

    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      "Music"
--- a/hosts/common/programs/gdbus.nix
+++ b/hosts/common/programs/gdbus.nix
@@ -3,6 +3,6 @@
  sane.programs.gdbus = {
    packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.glib "gdbus";

-    sandbox.whitelistDbus = [ "user" ];  #< XXX: maybe future users will also want system access
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< XXX: maybe future users will also want system access
  };
 }
--- a/hosts/common/programs/geary.nix
+++ b/hosts/common/programs/geary.nix
@@ -25,7 +25,7 @@ in

    sandbox.wrapperType = "inplace";  #< XXX(2024-08-20): if executed from a directory different than the configured prefix, it fails to locate its sql migration files
    sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      # it shouldn't need these, but portal integration seems incomplete?
--- a/hosts/common/programs/geoclue-demo-agent.nix
+++ b/hosts/common/programs/geoclue-demo-agent.nix
@@ -7,9 +7,7 @@
      path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent";
    }];

-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;

    services.geoclue-agent = {
      description = "geoclue 'demo' agent";
--- a/hosts/common/programs/geoclue2.nix
+++ b/hosts/common/programs/geoclue2.nix
@@ -47,9 +47,7 @@ in
    package = lib.mkForce null;

    # experimental sandboxing (2024/07/05)
-    # sandbox.whitelistDbus = [
-    #   "system"
-    # ];
+    # sandbox.whitelistDbus.system = true;
    # sandbox.net = "all";
  };

--- a/hosts/common/programs/gnome-clocks.nix
+++ b/hosts/common/programs/gnome-clocks.nix
@@ -2,7 +2,7 @@
  sane.programs.gnome-clocks = {
    buildCost = 1;
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< required for DE notification when alarm rings
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< required for DE notification when alarm rings
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/gnome-clocks/mesa";  # TODO: is this the correct app-id?
    gsettingsPersist = [ "org/gnome/clocks" ];
--- a/hosts/common/programs/gnome-contacts.nix
+++ b/hosts/common/programs/gnome-contacts.nix
@@ -29,7 +29,7 @@
      did-initial-setup = true;
    };

-    sandbox.whitelistDbus = [ "user" ];  #< for OpenURI, evolution-data-server
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< for OpenURI, evolution-data-server
    sandbox.whitelistDri = true;  #< speculative, but i'd like it to be responsive on mobile
    sandbox.whitelistWayland = true;

--- a/hosts/common/programs/gnome-keyring/default.nix
+++ b/hosts/common/programs/gnome-keyring/default.nix
@@ -3,7 +3,7 @@
 {
  sane.programs.gnome-keyring = {
    packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring;
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.extraRuntimePaths = [
      "keyring"  #< only needs keyring/control, but has to *create* that.
      # "keyring/control"
--- a/hosts/common/programs/gnome-maps.nix
+++ b/hosts/common/programs/gnome-maps.nix
@@ -34,10 +34,8 @@

    sandbox.wrapperType = "inplace";  #< /share directory contains Gir info which references libgnome-maps.so by path
    sandbox.whitelistDri = true;  # for perf
-    sandbox.whitelistDbus = [
-      "system"  # system is required for non-portal location services
-      "user"  #< not sure if "user" is necessary?
-    ];
+    sandbox.whitelistDbus.system = true;  #< system is required for non-portal location services
+    sandbox.whitelistDbus.user = true;  #< TODO: not sure if "user" is necessary?
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";

--- a/hosts/common/programs/gpodder.nix
+++ b/hosts/common/programs/gpodder.nix
@@ -24,7 +24,7 @@ in {
      ];
    });

-    sandbox.whitelistDbus = [ "user" ];  # it won't launch without it, dunno exactly why.
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # it won't launch without it, dunno exactly why.
    sandbox.whitelistDri = true;  #< hopefully slightly more bearable speed
    sandbox.whitelistWayland = true;
    sandbox.net = "clearnet";
--- a/hosts/common/programs/gps-share.nix
+++ b/hosts/common/programs/gps-share.nix
@@ -28,7 +28,7 @@ in

    sandbox.net = "all";
    sandbox.autodetectCliPaths = "existing";  #< N.B.: `test -f /dev/ttyUSB1` fails, we can't use `existingFile`
-    sandbox.whitelistDbus = [ "system" ];  #< to register with Avahi
+    sandbox.whitelistDbus.system = true;  #< to register with Avahi

    services.gps-share = {
      description = "gps-share: make local GPS serial readings available over Avahi";
--- a/hosts/common/programs/grimshot.nix
+++ b/hosts/common/programs/grimshot.nix
@@ -15,7 +15,7 @@
      "wl-clipboard"
    ];
    sandbox.keepPids = true;  #< needed by wl-clipboard
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.whitelistWayland = true;
    sandbox.extraRuntimePaths = [
      "sway"
--- a/hosts/common/programs/handbrake.nix
+++ b/hosts/common/programs/handbrake.nix
@@ -5,7 +5,7 @@

    sandbox.mesaCacheDir = ".cache/handbrake/mesa";  # TODO: is this the correct app-id?

-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      "Music"
--- a/hosts/common/programs/htop/default.nix
+++ b/hosts/common/programs/htop/default.nix
@@ -6,7 +6,7 @@
      "/sys/devices"
      "/sys/block"  # for zram usage
    ];
-    sandbox.whitelistDbus = [ "system" ];  #< to show systemd job status
+    sandbox.whitelistDbus.system = true;  #< to show systemd job status
    fs.".config/htop/htoprc".symlink.target = ./htoprc;
  };
 }
--- a/hosts/common/programs/iio-sensor-proxy.nix
+++ b/hosts/common/programs/iio-sensor-proxy.nix
@@ -41,7 +41,7 @@ in
    });
    enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true;  #< for dbus/polkit policies

-    sandbox.whitelistDbus = [ "system" ];
+    sandbox.whitelistDbus.system = true;
    sandbox.extraPaths = [
      "/run/udev/data"
      "/sys/bus"
--- a/hosts/common/programs/kdenlive.nix
+++ b/hosts/common/programs/kdenlive.nix
@@ -18,7 +18,7 @@
      "tmp"
    ];
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    # sandbox.whitelistX = true;  #< or run with `QT_QPA_PLATFORM=wayland`, without X(wayland)
--- a/hosts/common/programs/koreader/default.nix
+++ b/hosts/common/programs/koreader/default.nix
@@ -46,7 +46,7 @@ in {
  sane.programs.koreader = {
    packageUnwrapped = pkgs.koreader-from-src;
    sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # for opening the web browser via portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for opening the web browser via portal
    sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/lemoa.nix
+++ b/hosts/common/programs/lemoa.nix
@@ -3,7 +3,7 @@
  sane.programs.lemoa = {
    buildCost = 1;
    sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # for clicking links
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for clicking links
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    # creds
--- a/hosts/common/programs/megapixels-next.nix
+++ b/hosts/common/programs/megapixels-next.nix
@@ -43,7 +43,7 @@ in
    sandbox.wrapperType = "inplace";  #< for share/megapixels/movie.sh
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [ "user" ];  #< so that it can open the image viewer using fdo portal...
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< so that it can open the image viewer using fdo portal...
    sandbox.extraHomePaths = [
      # ".config/megapixels"
      "Pictures/Photos"
--- a/hosts/common/programs/megapixels.nix
+++ b/hosts/common/programs/megapixels.nix
@@ -28,7 +28,7 @@
    #   "bwrap: failed to make / slave: Operation not permitted"
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [ "user" ];  #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
    sandbox.extraHomePaths = [
      # ".config/megapixels"
      "Pictures/Photos"
--- a/hosts/common/programs/mepo.nix
+++ b/hosts/common/programs/mepo.nix
@@ -15,10 +15,8 @@
    sandbox.net = "all";  # for tiles *and* for localhost comm to gpsd
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [
-      "system"  # system is required for non-portal location services
-      "user"  #< not sure if "user" is necessary?
-    ];
+    sandbox.whitelistDbus.system = true;  # system is required for non-portal location services
+    sandbox.whitelistDbus.user = true;  #< TODO: not sure if "user" is necessary?
    sandbox.mesaCacheDir = ".cache/mepo/mesa";

    persist.byStore.plaintext = [ ".cache/mepo/tiles" ];
--- a/hosts/common/programs/mmcli.nix
+++ b/hosts/common/programs/mmcli.nix
@@ -24,9 +24,7 @@
    });

    sandbox.tryKeepUsers = true;
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
  };
 }

--- a/hosts/common/programs/mpv/default.nix
+++ b/hosts/common/programs/mpv/default.nix
@@ -190,7 +190,7 @@ in
    sandbox.autodetectCliPaths = "parent";  #< especially for subtitle downloader; also nice for viewing albums
    sandbox.net = "all";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< mpris
    sandbox.whitelistDri = true;  #< mpv has excellent fallbacks to non-DRI, but DRI offers a good 30%-50% reduced CPU
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/nautilus.nix
+++ b/hosts/common/programs/nautilus.nix
@@ -14,7 +14,7 @@
    #   "gvfs"  # browse ftp://, etc  (TODO: fix!)
    # ];

-    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for portals launching apps
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      # grant access to pretty much everything, except for secret keys.
--- a/hosts/common/programs/networkmanager_dmenu/default.nix
+++ b/hosts/common/programs/networkmanager_dmenu/default.nix
@@ -3,9 +3,7 @@
 {
  sane.programs.networkmanager_dmenu = {
    # sandbox.keepPidsAndProc = true;  #< else it can't connect to NetworkManager (?)
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      ".cache/rofi"
--- a/hosts/common/programs/newsflash.nix
+++ b/hosts/common/programs/newsflash.nix
@@ -19,7 +19,7 @@ in {

    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;  #< for embedded videos
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    sandbox.extraPaths = [
--- a/hosts/common/programs/nmcli.nix
+++ b/hosts/common/programs/nmcli.nix
@@ -2,8 +2,6 @@
 {
  sane.programs.nmcli = {
    packageUnwrapped = pkgs.networkmanager-split.nmcli;
-    sandbox.whitelistDbus = [
-      "system"
-    ];
+    sandbox.whitelistDbus.system = true;
  };
 }
--- a/hosts/common/programs/nwg-panel/default.nix
+++ b/hosts/common/programs/nwg-panel/default.nix
@@ -197,9 +197,7 @@ in
    sandbox.whitelistDri = true;
    sandbox.whitelistSystemctl = true;
    sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [
-      "user"  # playerctl, swaync, ...
-    ];
+    sandbox.whitelistDbus.user = true;  # playerctl, swaync, ... (TODO: reduce)
    sandbox.extraPaths = [
      "/sys/class/backlight"
      "/sys/class/leds"  #< for torch/flashlight on moby
--- a/hosts/common/programs/open-in-mpv.nix
+++ b/hosts/common/programs/open-in-mpv.nix
@@ -2,7 +2,7 @@
 { pkgs, ... }:
 {
  sane.programs.open-in-mpv = {
-    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for xdg-open/portals

    # taken from <https://github.com/Baldomo/open-in-mpv>
    fs.".config/open-in-mpv/config.yml".symlink.text = ''
--- a/hosts/common/programs/papers.nix
+++ b/hosts/common/programs/papers.nix
@@ -7,7 +7,7 @@
    # });

    buildCost = 2;  #< webkitgtk
-    sandbox.whitelistDbus = [ "user" ];  #< for clicking links
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< for clicking links
    sandbox.whitelistDri = true;  #< speedier
    sandbox.whitelistWayland = true;
    sandbox.autodetectCliPaths = "existingFile";
--- a/hosts/common/programs/pipewire/default.nix
+++ b/hosts/common/programs/pipewire/default.nix
@@ -58,7 +58,6 @@ in
    ];

    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [
    # dbus is used for rtkit integration
    # rtkit runs on the system bus.
    # xdg-desktop-portal then exposes this to the user bus.
@@ -66,8 +65,7 @@ in
    # xdg-desktop-portal-wlr depends on pipewire, hence pipewire has to start before xdg-desktop-portal.
    # then, pipewire has to talk specifically to rtkit (system) and not go through xdp.
    # "system"  #< not required UNLESS i want rtkit integration
-      "user"  #< required for camera sharing, especially through xdg-desktop-portal, e.g. `snapshot` application
-    ];
+    sandbox.whitelistDbus.user = true;  #< required for camera sharing, especially through xdg-desktop-portal, e.g. `snapshot` application  (TODO: reduce)
    sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
    sandbox.keepPidsAndProc = true;  #< TODO: why?
    sandbox.whitelistAvDev = true;
--- a/hosts/common/programs/playerctl.nix
+++ b/hosts/common/programs/playerctl.nix
@@ -2,7 +2,7 @@
 {
  sane.programs.playerctl = {
    sandbox.wrapperType = "inplace";  #< /lib/pkgconfig/playerctl.pc refers to $out by full path
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications

    services.playerctld = {
      description = "playerctl daemon to keep track of which MPRIS players were recently active";
--- a/hosts/common/programs/portfolio-filemanager.nix
+++ b/hosts/common/programs/portfolio-filemanager.nix
@@ -2,7 +2,7 @@
 {
  sane.programs.portfolio-filemanager = {
    # this is all taken pretty directly from nautilus config
-    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # for portals launching apps
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      # grant access to pretty much everything, except for secret keys.
--- a/hosts/common/programs/rofi/default.nix
+++ b/hosts/common/programs/rofi/default.nix
@@ -94,7 +94,7 @@ in
      "rofi-run-command"
    ];

-    sandbox.whitelistDbus = [ "user" ];  #< to launch apps via the portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< to launch apps via the portal
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      ".local/share/applications"  #< to locate .desktop files
@@ -142,7 +142,7 @@ in
    };
    # sandboxing options cribbed from sane-open
    sandbox.autodetectCliPaths = "existing";  # for when opening a file
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.keepPidsAndProc = true;
    sandbox.extraHomePaths = [ ".local/share/applications" ];
    sandbox.extraRuntimePaths = [ "sway" ];
--- a/hosts/common/programs/sane-input-handler/default.nix
+++ b/hosts/common/programs/sane-input-handler/default.nix
@@ -98,7 +98,7 @@ in
      "wvkbd"
    ];
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< to launch applications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< to launch applications
    sandbox.whitelistSystemctl = true;  #< to restart bonsaid on failure
    sandbox.extraRuntimePaths = [ "sway" ];
    sandbox.keepPidsAndProc = true;  #< for toggling the keyboard
--- a/hosts/common/programs/sane-open.nix
+++ b/hosts/common/programs/sane-open.nix
@@ -7,7 +7,7 @@
    ];

    sandbox.autodetectCliPaths = "existing";  # for when opening a file
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.keepPidsAndProc = true;  #< to toggle keyboard
    sandbox.extraHomePaths = [
      ".local/share/applications"
@@ -26,6 +26,6 @@
    # so doesn't need all sandboxing.
    # that might hint that the packages should be split/restructured...
    sandbox.whitelistWayland = true;  #< to access clipboard
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
  };
 }
--- a/hosts/common/programs/sane-screenshot.nix
+++ b/hosts/common/programs/sane-screenshot.nix
@@ -1,7 +1,7 @@
 { ... }:
 {
  sane.programs.sane-screenshot = {
-    sandbox.whitelistDbus = [ "user" ];  #< to send notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< to send notifications
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      "Pictures/Screenshots"
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -223,9 +223,7 @@ in

    "sane-scripts.wipe".sandbox = {
      method = "bunpen";
-      whitelistDbus = [
-        "user"  #< for `secret-tool`
-      ];
+      whitelistDbus.user = true;  #< for `secret-tool` (TODO: reduce)
      whitelistSystemctl = true;
      keepPidsAndProc = true;  #< so that it can `kill` the programs being wiped
      extraHomePaths = [
--- a/hosts/common/programs/satellite.nix
+++ b/hosts/common/programs/satellite.nix
@@ -50,9 +50,7 @@
 { ... }:
 {
  sane.programs.satellite = {
-    sandbox.whitelistDbus = [
-      "system"  #< reads NMEA data via ModemManager
-    ];
+    sandbox.whitelistDbus.system = true;  #< reads NMEA data via ModemManager
    sandbox.whitelistWayland = true;
    sandbox.mesaCacheDir = ".cache/satellite/mesa";  # TODO: is this the correct app-id?
  };
--- a/hosts/common/programs/signal-desktop.nix
+++ b/hosts/common/programs/signal-desktop.nix
@@ -39,9 +39,7 @@ in

    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [
-      "user"  # so i can click on links
-    ];
+    sandbox.whitelistDbus.user = true;  # for clicking on links (TODO: reduce)
    sandbox.whitelistDri = true;  #< hopefully it makes use of this for perf?
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/spot.nix
+++ b/hosts/common/programs/spot.nix
@@ -5,7 +5,7 @@

    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
    sandbox.whitelistWayland = true;

    secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
--- a/hosts/common/programs/spotify.nix
+++ b/hosts/common/programs/spotify.nix
@@ -3,7 +3,7 @@
  sane.programs.spotify = {
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
    sandbox.whitelistWayland = true;

    persist.byStore.plaintext = [
--- a/hosts/common/programs/steam.nix
+++ b/hosts/common/programs/steam.nix
@@ -3,7 +3,7 @@
  sane.programs.steam = {
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< to open https:// links in portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< to open https:// links in portal
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    sandbox.whitelistX = true;
--- a/hosts/common/programs/sway/default.nix
+++ b/hosts/common/programs/sway/default.nix
@@ -228,7 +228,8 @@ in

    sandbox.net = "all";  # TODO: shouldn't be needed! but without this, mouse/kb hotplug doesn't work.
    sandbox.whitelistAudio = true;  # it runs playerctl directly
-    sandbox.whitelistDbus = [ "system" "user" ];  # to e.g. launch apps
+    sandbox.whitelistDbus.system = true;
+    sandbox.whitelistDbus.user = true;  # to e.g. launch apps (TODO: reduce)
    sandbox.whitelistDri = true;
    sandbox.whitelistSystemctl = true;  #< for Super+L to start the screen locker service
    sandbox.whitelistX = true;  # sway invokes xwayland itself
--- a/hosts/common/programs/swayidle.nix
+++ b/hosts/common/programs/swayidle.nix
@@ -82,9 +82,7 @@ in
      # "sway"  #< required, but circular dep
    ];

-    sandbox.whitelistDbus = [
-      "user"  #< ??
-    ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce (??)
    sandbox.whitelistSystemctl = true;
    sandbox.whitelistWayland = true;
    sandbox.extraRuntimePaths = [ "sway" ];
--- a/hosts/common/programs/swaynotificationcenter/default.nix
+++ b/hosts/common/programs/swaynotificationcenter/default.nix
@@ -54,7 +54,7 @@ in
        "util-linux"
      ];
    };
-    sandbox.whitelistDbus = [ "user" ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce
    sandbox.keepPidsAndProc = true;  # `swaync-fbcli stop` needs to be able to find the corresponding `swaync-fbcli start` process
  };

@@ -107,10 +107,8 @@ in
    ];

    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [
-      "user"  # mpris; portal
-      "system"  # backlight
-    ];
+    sandbox.whitelistDbus.user = true;  # mpris; portal (TODO: reduce)
+    sandbox.whitelistDbus.system = true;  # backlight
    sandbox.whitelistSystemctl = true;
    sandbox.whitelistWayland = true;
    sandbox.extraPaths = [
--- a/hosts/common/programs/switchboard.nix
+++ b/hosts/common/programs/switchboard.nix
@@ -28,7 +28,7 @@
      xorg = pkgs.buildPackages.xorg;  #< cross compilation fix (TODO: upstream)
    };
    sandbox.whitelistWayland = true;
-    sandbox.whitelistDbus = [ "system" ];  #< to speak with NetworkManager
+    sandbox.whitelistDbus.system = true;  #< to speak with NetworkManager
    sandbox.whitelistAudio = true;  #< even with this, the sound plugin doesn't seem to work...
    sandbox.mesaCacheDir = ".cache/switchboard/mesa";  # TODO: is this the correct app-id?
  };
--- a/hosts/common/programs/tor-browser.nix
+++ b/hosts/common/programs/tor-browser.nix
@@ -11,7 +11,7 @@
    });
    sandbox.net = "clearnet";  # tor over VPN wouldn't make sense
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  #< so `tor-browser http://...` can open using an existing instance
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< so `tor-browser http://...` can open using an existing instance
    sandbox.whitelistWayland = true;
    # sandbox.mesaCacheDir = ".cache/tor-browser/mesa";  # don't persist mesa dir (privacy)
    persist.byStore.ephemeral = [
--- a/hosts/common/programs/tuba.nix
+++ b/hosts/common/programs/tuba.nix
@@ -5,7 +5,7 @@

    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      "Music"
--- a/hosts/common/programs/vlc.nix
+++ b/hosts/common/programs/vlc.nix
@@ -17,7 +17,7 @@ in
    sandbox.net = "clearnet";
    sandbox.autodetectCliPaths = "existing";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # mpris
    sandbox.whitelistWayland = true;
    persist.byStore.private = [
      # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
--- a/hosts/common/programs/waybar/default.nix
+++ b/hosts/common/programs/waybar/default.nix
@@ -82,10 +82,8 @@ in
    };

    sandbox.net = "all";  #< to show net connection status and BW
-    sandbox.whitelistDbus = [
-      "user"  #< for playerctl/media
-      "system"  #< for modem (on phone)
-    ];
+    sandbox.whitelistDbus.user = true;  #< for playerctl/media (TODO: reduce)
+    sandbox.whitelistDbus.system = true;  #< for modem (on phone)
    sandbox.whitelistWayland = true;
    sandbox.extraRuntimePaths = [
      "sway"
--- a/hosts/common/programs/where-am-i.nix
+++ b/hosts/common/programs/where-am-i.nix
@@ -19,8 +19,6 @@
    });

    sandbox.net = "all";  # TODO: why does it require this? i think it just needs *some* net dev and any will do.
-    sandbox.whitelistDbus = [
-      "system"  # system is required for non-portal location services
-    ];
+    sandbox.whitelistDbus.system = true;  # system is required for non-portal location services
  };
 }
--- a/hosts/common/programs/wike.nix
+++ b/hosts/common/programs/wike.nix
@@ -6,7 +6,7 @@
    sandbox.wrapperType = "inplace";  # share/wike/wike-sp refers back to the binaries and share
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # without this, the search button pulls up a table of contents instead
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # without this, the search button pulls up a table of contents instead
    # default sandboxing breaks rendering in weird ways. like it loads the desktop version of articles.
    # enabling DRI/DRM (as below) hopefully fixes that.
    sandbox.whitelistDri = true;
--- a/hosts/common/programs/wireplumber.nix
+++ b/hosts/common/programs/wireplumber.nix
@@ -6,10 +6,8 @@
      pipewire = config.sane.programs.pipewire.packageUnwrapped;
    };

-    sandbox.whitelistDbus = [
-      # "system"  #< so it can request better scheduling from rtkit
-      "user"  #< required for camera sharing, especially through xdg-desktop-portal, e.g. `snapshot` application
-    ];
+    # sandbox.whitelistDbus.system = true;  #< so it can request better scheduling from rtkit
+    sandbox.whitelistDbus.user = true;  #< required for camera sharing, especially through xdg-desktop-portal, e.g. `snapshot` application  (TODO: reduce)
    sandbox.whitelistAudio = true;
    sandbox.whitelistAvDev = true;
    # sandbox.keepPids = true;  #< needed if i want rtkit to grant this higher scheduling priority
--- a/hosts/common/programs/xdg-desktop-portal-gnome/default.nix
+++ b/hosts/common/programs/xdg-desktop-portal-gnome/default.nix
@@ -13,7 +13,7 @@ in
      ];
    });

-    sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # speak to main xdg-desktop-portal
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      ".local/share/applications"  # file opener needs to find .desktop files, for their icon/name.
--- a/hosts/common/programs/xdg-desktop-portal-gtk.nix
+++ b/hosts/common/programs/xdg-desktop-portal-gtk.nix
@@ -7,7 +7,7 @@ in
    # rmDbusServices: because we care about ordering with the rest of the desktop, and don't want something else to auto-start this.
    packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk;

-    sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # speak to main xdg-desktop-portal
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
      ".local/share/applications"  # file opener needs to find .desktop files, for their icon/name.
--- a/hosts/common/programs/xdg-desktop-portal-nautilus.nix
+++ b/hosts/common/programs/xdg-desktop-portal-nautilus.nix
@@ -27,7 +27,7 @@
      ];
    }));

-    sandbox.whitelistDbus = [ "user" ];  # to receive requests from xdg-desktop-portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # to receive requests from xdg-desktop-portal
    sandbox.whitelistDri = true;  #< else it's laggy on moby
    sandbox.whitelistWayland = true;

--- a/hosts/common/programs/xdg-desktop-portal-wlr.nix
+++ b/hosts/common/programs/xdg-desktop-portal-wlr.nix
@@ -8,7 +8,7 @@ in
    packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr;

    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus = [ "user" ];  # speak to main xdg-desktop-portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # speak to main xdg-desktop-portal
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
    sandbox.extraPaths = [
--- a/hosts/common/programs/youtube-tui.nix
+++ b/hosts/common/programs/youtube-tui.nix
@@ -67,6 +67,6 @@
      # ".config/youtube-tui"  #< it populates its own config, other than just main.yml
      "tmp/youtube-tui"
    ];
-    sandbox.whitelistDbus = [ "user" ];  #< xdg-open via portal
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< xdg-open via portal
  };
 }
--- a/hosts/common/programs/zulip.nix
+++ b/hosts/common/programs/zulip.nix
@@ -2,7 +2,7 @@
 {
  sane.programs.zulip = {
    sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # notifications (i hope!)
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications (i hope!)
    sandbox.whitelistWayland = true;
    # creds
    persist.byStore.private = [ ".config/Zulip" ];
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -76,7 +76,7 @@ let
          "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here (if using systemd-resolved)
        ] ++ lib.optionals (sandbox.net == "all" && config.services.avahi.enable) [
          "/var/run/avahi-daemon"  #< yes, it has to be "/var/run/...". required for nss (e.g. `getent hosts desko.local`)
-        ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [
+        ] ++ lib.optionals sandbox.whitelistDbus.system [
          "/var/run/dbus/system_bus_socket"  #< XXX: use /var/run/..., for the rare program which requires that (i.e. avahi users)
        ] ++ sandbox.extraPaths
        ;
@@ -105,7 +105,17 @@ let
            vpn.dns
          else
            null;
-          # the sandboxer should understand how to work with duplicated paths, but it's annoying => `lib.unique`
+          allowedDbusCall = lib.flatten (
+            lib.mapAttrsToList
+              (interface: value: lib.map (callSpec: "${interface}=${callSpec}") value.call)
+              sandbox.whitelistDbus.user
+          );
+          allowedDbusOwn = lib.flatten (
+            lib.mapAttrsToList
+              (interface: value: lib.optional value.own interface)
+              sandbox.whitelistDbus.user
+          );
+          # the sandboxer knows how to work with duplicated paths, but they're still annoying => `lib.unique`
          allowedPaths = lib.unique allowedPaths;
          allowedHomePaths = lib.unique allowedHomePaths;
          allowedRunPaths = lib.unique allowedRunPaths;
@@ -288,7 +298,7 @@ let
            depends = svcCfg.depends
              ++ lib.optionals (((config.persist.byStore or {}).private or []) != []) [
              "private-storage"
-            ] ++ lib.optionals (svcName != "dbus-user" && builtins.elem "user" config.sandbox.whitelistDbus && cfg.dbus.enabled) [
+            ] ++ lib.optionals (svcName != "dbus-user" && config.sandbox.whitelistDbus.user != {} && cfg.dbus.enabled) [
              "dbus-user"
            ] ++ lib.optionals ((!builtins.elem "wayland" svcCfg.partOf) && config.sandbox.whitelistWayland) [
              "wayland"
@@ -450,11 +460,49 @@ let
          pipewire-aware applications shouldn't need this.
        '';
      };
-      sandbox.whitelistDbus = mkOption {
-        type = types.listOf (types.enum [ "user" "system" ]);
+      sandbox.whitelistDbus.user = let
+        dbusInterfaceModule = types.submodule {
+          options = {
+            own = mkOption {
+              type = types.bool;
+              default = false;
+              description = ''
+                allow the sandbox to own this well-defined name.
+              '';
+            };
+            call = mkOption {
+              type = types.coercedTo types.str (s: [ s ]) (types.listOf types.str);
              default = [];
              description = ''
-          allow sandbox to freely interact with dbus services.
+                allow the sandbox to call methods on this well-defined name
+                so long as they this method specifier.
+              '';
+            };
+          };
+        };
+      in mkOption {
+        type = types.coercedTo
+          types.bool (b: lib.optionalAttrs b { "*".own = true; })
+          (types.attrsOf dbusInterfaceModule);
+        default = {};
+        description = ''
+          allow sandbox to selectively interact with user dbus services.
+          e.g. {
+            "org.gnome.Calls".own = true;
+            "org.freedesktop.portal".call = "org.freedesktop.portal.FileChooser.*";
+          };
+          special `*` path can be used to allow ALL user dbus traffic:
+          e.g. {
+            "*".call = true;
+            "*".own = true;
+          }
+        '';
+      };
+      sandbox.whitelistDbus.system = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          allow sandbox to freely interact with system dbus services.
        '';
      };
      sandbox.whitelistDri = mkOption {
@@ -610,7 +658,7 @@ let

      sandbox.keepPids = lib.mkIf config.sandbox.keepPidsAndProc true;

-      sandbox.whitelistDbus = lib.mkIf config.sandbox.whitelistSystemctl [ "system" ];
+      sandbox.whitelistDbus.system = lib.mkIf config.sandbox.whitelistSystemctl true;

      sandbox.extraEnv = {
        MESA_SHADER_CACHE_DIR = lib.mkIf (config.sandbox.mesaCacheDir != null) "$HOME/${config.sandbox.mesaCacheDir}";
@@ -700,7 +748,7 @@ let
      ;
      sandbox.extraRuntimePaths =
        lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ]  # this includes pipewire/pipewire-0-manager: is that ok?
-        ++ lib.optionals (builtins.elem "user" config.sandbox.whitelistDbus) [ "dbus" ]
+        ++ lib.optionals ((config.sandbox.whitelistDbus.user."*" or {}).own or false) [ "dbus" ]
        ++ lib.optionals config.sandbox.whitelistWayland [ "wl" ]  # app can still communicate with wayland server w/o this, if it has net access
        ++ lib.optionals config.sandbox.whitelistS6 [ "s6" ]  # TODO: this allows re-writing the services themselves: don't allow that!
      ;
--- a/modules/programs/make-sandbox-args.nix
+++ b/modules/programs/make-sandbox-args.nix
@@ -3,6 +3,8 @@ let
  bunpenGenerators = {
    autodetectCliPaths = style: [ "--bunpen-autodetect" style ];
    capability = cap: [ "--bunpen-cap" cap ];
+    dbusCall = spec: [ "--bunpen-dbus-call" spec ];
+    dbusOwn = interface: [ "--bunpen-dbus-own" interface ];
    dns = addr: [ "--bunpen-dns" addr ];
    env = key: value: [ "--bunpen-env" "${key}=${value}" ];
    keepIpc = [ "--bunpen-keep-ipc" ];
@@ -40,6 +42,8 @@ let
 in
 {
  method,
+  allowedDbusCall ? [],
+  allowedDbusOwn ? [],
  allowedPaths ? [],
  allowedHomePaths ? [],
  allowedRunPaths ? [],
@@ -67,6 +71,10 @@ let

  envArgs = lib.flatten (lib.mapAttrsToList gen.env extraEnv);

+  dbusItems = lib.flatten (lib.map gen.dbusOwn allowedDbusOwn)
+    ++ lib.flatten (lib.map gen.dbusCall allowedDbusCall)
+  ;
+
  netItems = lib.optionals (netDev != null) (gen.netDev netDev)
    ++ lib.optionals (netGateway != null) (gen.netGateway netGateway)
    ++ lib.optionals (dns != null) (lib.flatten (builtins.map gen.dns dns))
@@ -74,6 +82,7 @@ let

 in
  (gen.method method)
+  ++ dbusItems
  ++ netItems
  ++ allowPaths "unqualified" allowedPaths
  ++ allowPaths "home" allowedHomePaths