inkscape: split to own file and sandbox with bunpen

This commit is contained in:
2024-09-03 18:45:37 +00:00
parent 94863db03a
commit 3478224bf9
3 changed files with 22 additions and 16 deletions

View File

@@ -772,22 +772,6 @@ in
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
inkscape.buildCost = 1;
inkscape.sandbox.method = "bwrap";
inkscape.sandbox.whitelistWayland = true;
inkscape.sandbox.extraHomePaths = [
"Pictures/albums"
"Pictures/cat"
"Pictures/from"
"Pictures/Photos"
"Pictures/Screenshots"
"Pictures/servo-macros"
"dev"
"ref"
"tmp"
];
inkscape.sandbox.autodetectCliPaths = true;
iotop.sandbox.method = "landlock";
iotop.sandbox.extraPaths = [
"/proc"

View File

@@ -85,6 +85,7 @@
./htop
./iio-sensor-proxy.nix
./imagemagick.nix
./inkscape.nix
./jellyfin-media-player.nix
./kdenlive.nix
./keymapp.nix

View File

@@ -0,0 +1,21 @@
{ ... }:
{
sane.programs.inkscape = {
buildCost = 1;
sandbox.method = "bunpen";
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [
".config/dconf" #< else opening images fails
"Pictures/albums"
"Pictures/cat"
"Pictures/from"
"Pictures/Photos"
"Pictures/Screenshots"
"Pictures/servo-macros"
"dev"
"ref"
"tmp"
];
sandbox.autodetectCliPaths = true;
};
}