From 35ce9a412d33dbdd3dce0355691c9a18eceb535a Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 10 Jan 2025 00:23:31 +0000
Subject: [PATCH] rofi-run-command: restrict dbus

can't restrict ALL of rofi, for some reason. maybe dbus proxies don't nest well?
---
 hosts/common/programs/rofi/default.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/hosts/common/programs/rofi/default.nix b/hosts/common/programs/rofi/default.nix
index 9f8eff1ab..404fcfa83 100644
--- a/hosts/common/programs/rofi/default.nix
+++ b/hosts/common/programs/rofi/default.nix
@@ -94,7 +94,11 @@ in
       "rofi-run-command"
     ];
 
-    sandbox.whitelistDbus.user = true;  #< TODO: reduce  #< to launch apps via the portal
+    sandbox.whitelistDbus.user = true;  #< TODO: should only need DynamicLauncher / OpenURI  (nested xdg-dbus-proxy issue?)
+    # sandbox.whitelistPortal = [
+    #   "DynamicLauncher"
+    #   "OpenURI"
+    # ];
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".local/share/applications"  #< to locate .desktop files
@@ -142,7 +146,10 @@ in
     };
     # sandboxing options cribbed from sane-open
     sandbox.autodetectCliPaths = "existing";  # for when opening a file
-    sandbox.whitelistDbus.user = true;  #< TODO: reduce
+    sandbox.whitelistPortal = [
+      "DynamicLauncher"
+      "OpenURI"
+    ];
     sandbox.keepPidsAndProc = true;
     sandbox.extraHomePaths = [ ".local/share/applications" ];
     sandbox.extraRuntimePaths = [ "sway" ];