inkscape: split to own file and sandbox with bunpen
This commit is contained in:
@@ -772,22 +772,6 @@ in
|
||||
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
||||
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
||||
|
||||
inkscape.buildCost = 1;
|
||||
inkscape.sandbox.method = "bwrap";
|
||||
inkscape.sandbox.whitelistWayland = true;
|
||||
inkscape.sandbox.extraHomePaths = [
|
||||
"Pictures/albums"
|
||||
"Pictures/cat"
|
||||
"Pictures/from"
|
||||
"Pictures/Photos"
|
||||
"Pictures/Screenshots"
|
||||
"Pictures/servo-macros"
|
||||
"dev"
|
||||
"ref"
|
||||
"tmp"
|
||||
];
|
||||
inkscape.sandbox.autodetectCliPaths = true;
|
||||
|
||||
iotop.sandbox.method = "landlock";
|
||||
iotop.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
|
@@ -85,6 +85,7 @@
|
||||
./htop
|
||||
./iio-sensor-proxy.nix
|
||||
./imagemagick.nix
|
||||
./inkscape.nix
|
||||
./jellyfin-media-player.nix
|
||||
./kdenlive.nix
|
||||
./keymapp.nix
|
||||
|
21
hosts/common/programs/inkscape.nix
Normal file
21
hosts/common/programs/inkscape.nix
Normal file
@@ -0,0 +1,21 @@
|
||||
{ ... }:
|
||||
{
|
||||
sane.programs.inkscape = {
|
||||
buildCost = 1;
|
||||
sandbox.method = "bunpen";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
".config/dconf" #< else opening images fails
|
||||
"Pictures/albums"
|
||||
"Pictures/cat"
|
||||
"Pictures/from"
|
||||
"Pictures/Photos"
|
||||
"Pictures/Screenshots"
|
||||
"Pictures/servo-macros"
|
||||
"dev"
|
||||
"ref"
|
||||
"tmp"
|
||||
];
|
||||
sandbox.autodetectCliPaths = true;
|
||||
};
|
||||
}
|
Reference in New Issue
Block a user