colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: xdg-desktop-portal{-gtk,-wlr}: enable sandbox

Browse Source
This commit is contained in:
Colin 2024-02-16 03:17:19 +00:00
parent 40ed7cff1b
commit 511752fab5
1 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
hosts/common/programs/assorted.nix
View File

@ -562,16 +562,32 @@ in
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
# TODO: these live in /libexec
# xdg-desktop-portal-gtk.sandbox.method = "bwrap";
# xdg-desktop-portal-gtk.sandbox.wrapperType = "inplace";
# xdg-desktop-portal-gtk.sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
# xdg-desktop-portal-gtk.sandbox.whitelistWayland = true;
xdg-desktop-portal-gtk.sandbox.method = "bwrap";
xdg-desktop-portal-gtk.sandbox.wrapperType = "inplace";
xdg-desktop-portal-gtk.sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
xdg-desktop-portal-gtk.sandbox.whitelistWayland = true;
xdg-desktop-portal-gtk.sandbox.extraHomePaths = [
".local/share/applications" # file opener needs to find .desktop files, for their icon/name.
# for file-chooser portal users (fractal, firefox, ...), need to provide anything they might want.
# i think (?) portal users can only access the files here interactively, i.e. by me interacting with the portal's visual filechooser,
# so shoving stuff here is trusting the portal but not granting any trust to the portal user.
"Books"
"Music"
"Pictures"
"Pictures/servo-macros"
"Videos"
"Videos/servo"
"archive"
"dev"
"ref"
"tmp"
"use"
];
# xdg-desktop-portal-wlr.sandbox.method = "bwrap"; # TODO:sandbox: untested
# xdg-desktop-portal-wlr.sandbox.wrapperType = "inplace";
# xdg-desktop-portal-wlr.sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
# xdg-desktop-portal-wlr.sandbox.whitelistWayland = true;
xdg-desktop-portal-wlr.sandbox.method = "bwrap"; # TODO:sandbox: untested
xdg-desktop-portal-wlr.sandbox.wrapperType = "inplace";
xdg-desktop-portal-wlr.sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
xdg-desktop-portal-wlr.sandbox.whitelistWayland = true;
xdg-terminal-exec.sandbox.enable = false; # xdg-terminal-exec is a launcher for $TERM
xterm.sandbox.enable = false; # need to be able to do everything