From 5c8bb55cec605c8725d4c32b081b709d953ae8e5 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 5 Feb 2024 22:33:42 +0000
Subject: [PATCH] todo.md: better sandboxing around /mnt/servo-media

---
 TODO.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/TODO.md b/TODO.md
index d11d8de8..dc49ba30 100644
--- a/TODO.md
+++ b/TODO.md
@@ -55,6 +55,11 @@
     - <https://github.com/flatpak/xdg-dbus-proxy>
   - remove `.ssh` access from Firefox!
     - limit access to `~/private/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
+  - make /mnt/servo-media more sandbox-friendly
+    - having the sandboxer detect ~/Videos and ~/Videos/servo, and derefrencing the symlink in the latter (rather than consolidating them), to add those paths, would go a long way.
+    - ~/Videos/servo would also need to link not to /mnt/servo-media/Videos, but to /mnt/servo-nfs/media/Videos
+      - maybe just kill /mnt/servo-nfs and /mnt/servo-media, consolidate to /mnt/servo/media/...
+      - and rework /mnt/desko-home -> /mnt/desko/home, ...
 - make dconf stuff less monolithic
   - i.e. per-app dconf profiles for those which need it. possible static config.
 - canaries for important services