programs: introduce and use "autodetectCliPaths" nix config

hosts/common/programs/audacity.nix

@@ -10,12 +10,12 @@
     };
 
     sandbox.method = "bwrap";
-    sandbox.extraConfig = [
-      "--sane-sandbox-autodetect"
+    sandbox.autodetectCliPaths = true;
+    sandbox.extraHomePaths = [
+      # support media imports via file->open dir to some common media directories
+      "tmp"
+      "Music"
     ];
-    # support media imports via file->open dir to some common media directories
-    fs."tmp" = {};
-    fs."Music" = {};
 
     # disable first-run splash screen
     fs.".config/audacity/audacity.cfg".file.text = ''

hosts/common/programs/evince.nix

@@ -2,9 +2,7 @@
 {
   sane.programs.evince = {
     sandbox.method = "bwrap";
-    sandbox.extraConfig = [
-      "--sane-sandbox-autodetect"
-    ];
+    sandbox.autodetectCliPaths = true;
     mime.associations."application/pdf" = "org.gnome.Evince.desktop";
   };
 }

hosts/common/programs/go2tv.nix

@@ -34,9 +34,7 @@ in
 {
   sane.programs.go2tv = {
     sandbox.method = "bwrap";
-    sandbox.extraConfig = [
-      "--sane-sandbox-autodetect"
-    ];
+    sandbox.autodetectCliPaths = true;
     # for GUI invocation, allow the common media directories
     sandbox.extraHomePaths = [
       "Music"

hosts/common/programs/libreoffice.nix

@@ -7,9 +7,7 @@
     # packageUnwrapped = pkgs.libreoffice-still;
     packageUnwrapped = pkgs.libreoffice-fresh;
     sandbox.method = "bwrap";
-    sandbox.extraConfig = [
-      "--sane-sandbox-autodetect"
-    ];
+    sandbox.autodetectCliPaths = true;
     sandbox.extraHomePaths = [
       # allow a spot to save files.
       # with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,

hosts/common/programs/mpv.nix

@@ -63,9 +63,7 @@ in
     });
 
     sandbox.method = "bwrap";
-    sandbox.extraConfig = [
-      "--sane-sandbox-autodetect"
-    ];
+    sandbox.autodetectCliPaths = true;
 
     persist.byStore.plaintext = [ ".local/state/mpv/watch_later" ];
     fs.".config/mpv/input.conf".symlink.text = let

hosts/common/programs/vlc.nix

@@ -11,9 +11,7 @@ in
 {
   sane.programs.vlc = {
     sandbox.method = "bwrap";
-    sandbox.extraConfig = [
-      "--sane-sandbox-autodetect"
-    ];
+    sandbox.autodetectCliPaths = true;
     persist.byStore.private = [
       # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
       # filenames are stored in plaintext (unlike mpv, which i think hashes them)

modules/programs/default.nix

@@ -252,6 +252,13 @@ let
           "wrappedDerivation" is mostly good for prototyping.
         '';
       };
+      sandbox.autodetectCliPaths = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          if a CLI argument looks like a PATH, should we add it to the sandbox?
+        '';
+      };
       sandbox.binMap = mkOption {
         type = types.attrsOf types.str;
         default = {};

modules/programs/make-sandboxed.nix

@@ -15,7 +15,7 @@ let
     runHook postFixup
   '';
 in
-{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
+{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
 let
   sane-sandboxed' = sane-sandboxed.meta.mainProgram;  #< load by bin name to reduce rebuilds
 
@@ -45,6 +45,7 @@ let
   ] ++ allowPaths allowedRootPaths
     ++ allowHomePaths allowedHomePaths
     ++ capabilityFlags
+    ++ lib.optionals autodetectCliPaths [ "--sane-sandbox-autodetect" ]
     ++ lib.optionals (vpn != null) vpnItems
     ++ extraConfig;