colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: add more portal sandboxing options, and MPRIS option

Browse Source
This commit is contained in:
Colin
2025-01-08 23:54:22 +00:00
parent 091de5c788
commit 4c56ea3e6b
1 changed files with 23 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
modules/programs/default.nix
View File

@@ -520,28 +520,40 @@ let
broad and unaudited attack surface. broad and unaudited attack surface.
''; '';
}; };
sandbox.whitelistMpris.controlPlayers = mkOption {
type = types.bool;
default = false;
description = ''
allow to control *all known* mpris-capable players on the machine.
'';
};
sandbox.whitelistPortal = mkOption { sandbox.whitelistPortal = mkOption {
type = types.listOf (types.enum [ type = types.listOf (types.enum [
# portal references: <https://flatpak.github.io/xdg-desktop-portal/docs/api-reference.html>
# "Account" # "Account"
# "Camera" "Camera"
# "Device" # "Clipboard" # XXX(2025-01-08): inaccessible due to missing org.freedesktop.impl.portal.Clipboard
# "Device" # removed in 1.19.0 (2024-10-09)
"DynamicLauncher" "DynamicLauncher"
# "Email" # "Email"
"FileChooser" "FileChooser"
# "FileTransfer" # XXX(2025-01-08): inaccessible. part of org.freedesktop.portal.Documents, which i'm not using
# "GameMode" # "GameMode"
# "Inhibit" # XXX(2025-01-08): inaccessible due to missing org.freedesktop.impl.portal.Inhibit
"Location" "Location"
# "MemoryMonitor" # "MemoryMonitor"
"NetworkMonitor" # bleh! "NetworkMonitor" # bleh!
"Notification" "Notification"
"OpenURI" "OpenURI"
# "PowerProfileMonitor" # "PowerProfileMonitor"
# "Print" "Print"
# "ProxyResolver" # "ProxyResolver"
# "Realtime" # "Realtime"
# "ScreenCast" "ScreenCast"
# "Screenshot" # "Screenshot"
# "Settings" # "Settings"
# "Trash" # "Trash"
# "Usb" # added in 1.19.1 (2024-12-21)
# "Wallpaper" # "Wallpaper"
]); ]);
default = []; default = [];
@@ -706,6 +718,13 @@ let
"org.freedesktop.Notifications" = "*"; # Notify, NotificationClosed, NotificationReplied, ActionInvoked "org.freedesktop.Notifications" = "*"; # Notify, NotificationClosed, NotificationReplied, ActionInvoked
"org.erikreider.swaync.cc" = "*"; #< probably overkill "org.erikreider.swaync.cc" = "*"; #< probably overkill
}) })
(lib.mkIf config.sandbox.whitelistMpris.controlPlayers {
# "org.mpris.MediaPlayer2.playerctld" = "*";
# `org.mpris.MediaPlayer2.*` acts recursively, granting access to e.g.:
# - org.mpris.MediaPlayer2.mpv (which mpv claims by default)
# - org.mpris.MediaPlayer2.mpv.instance2 (which mpv claims when the former is already taken)
"org.mpris.MediaPlayer2.*" = "*"; #< TODO: limit to only being able to call actual interface members, otherise this may inadvertently grant access to other dbus controls of the player (which could be large, e.g. a IM client or web browser)
})
] ++ lib.forEach config.sandbox.whitelistPortal (p: { ] ++ lib.forEach config.sandbox.whitelistPortal (p: {
"org.freedesktop.portal.Desktop" = [ "org.freedesktop.portal.Desktop" = [
"org.freedesktop.portal.${p}.*" "org.freedesktop.portal.${p}.*"