modules/programs: sandboxing: add a "whitelistX" option

modules/programs/default.nix

@@ -283,14 +283,16 @@ let
       sandbox.net = mkOption {
         type = types.coercedTo
           types.str
-          (s: if s == "clearnet" then "all" else s)
+          (s: if s == "clearnet" || s == "localhost" then "all" else s)
           (types.enum [ null "all" "vpn" ]);
         default = null;
         description = ''
           how this app should have its network traffic routed.
           - "all": unsandboxed network.
           - "clearnet": traffic is routed only over clearnet.
-            currently, just an alias for "all"
+            currently, just an alias for "all".
+          - "localhost": only needs access to other services running on this host.
+            currently, just an alias for "all".
           - "vpn": to route all traffic over the default VPN.
           - null: to maximally isolate from the network.
         '';
@@ -400,6 +402,14 @@ let
           note that this does NOT permit access to compositor admin tooling like `swaymsg`.
         '';
       };
+      sandbox.whitelistX = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          allow the sandbox to communicate with the X server.
+          typically, this is actually the Xwayland server and you should also enable `whitelistWayland`.
+        '';
+      };
 
       sandbox.extraPaths = mkOption {
         type = types.listOf types.str;
@@ -477,6 +487,8 @@ let
       # this gets the symlink into the sandbox, but not the actual secret.
       fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets;
 
+      sandbox.net = lib.mkIf config.sandbox.whitelistX "localhost";
+
       sandbox.extraPaths = lib.mkIf config.sandbox.whitelistDri [
         # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
         # - but everything seems to gracefully fallback to *something* (MESA software rendering?)