sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox

2024-03-23 16:37:22 +00:00 · 2024-03-23 16:37:22 +00:00 · 6102a0301d
parent 39de5b84c2
commit 6102a0301d
2 changed files with 16 additions and 3 deletions
--- a/hosts/common/programs/sway/default.nix
+++ b/hosts/common/programs/sway/default.nix
@ -218,7 +218,7 @@ in
    # TODO: ensure this is reliable? might not work across sway restarts, etc.
    env.DISPLAY = ":0";
    # docs: <https://discourse.ubuntu.com/t/environment-variables-for-wayland-hackers/12750>
-    env.WAYLAND_DISPLAY = "wayland-1";
+    env.WAYLAND_DISPLAY = "$XDG_RUNTIME_DIR/wayland/wayland-1";

    services.sway = {
      description = "sway: tiling wayland desktop environment";
@ -226,10 +226,23 @@ in
      command = pkgs.writeShellScript "sway-start" ''
        # have to create these directories before launching sway so that they're available in the sandbox
        mkdir -p "$(dirname "$SWAYSOCK")"
+        mkdir -p "$(dirname "$WAYLAND_DISPLAY")"
        mkdir -p /tmp/.X11-unix  # for Xwayland
        exec sway
      '';
-      readiness.waitExists = "$SWAYSOCK";
+      # readiness.waitExists = "$SWAYSOCK";
+      readiness.waitCommand = pkgs.writeShellScript "sway-readycheck" ''
+        # wait for sway to create its socket AND its wayland display.
+        # it doesn't know to create the wayland display in the right directory, so have to manually move it socket... bleh.
+        # TODO: socket moving could be more reliable inside of the sway config
+        set -e
+        test -e "$SWAYSOCK"
+        expected_display="$XDG_RUNTIME_DIR/$(basename "$WAYLAND_DISPLAY")"
+        test -e "$expected_display" && test -e "$expected_display.lock"
+        set +e  # make only a best-effort to move these; if it fails (because e.g. perms, or destination exists somehow), don't hold up init
+        mv "$expected_display" "$WAYLAND_DISPLAY"
+        mv "$expected_display.lock" "$WAYLAND_DISPLAY.lock"
+      '';
    };
    # link the graphical-session into the default target, so sway gets auto-started
    services.graphical-session.partOf = [ "default" ];
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -72,7 +72,7 @@ let
                sandbox.extraRuntimePaths
                ++ lib.optionals sandbox.whitelistAudio [ "pipewire" "pulse" ]  # this includes pipewire/pipewire-0-manager: is that ok?
                ++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ]
-                ++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ]  # app can still communicate with wayland server w/o this, if it has net access
+                ++ lib.optionals sandbox.whitelistWayland [ "wayland" ]  # app can still communicate with wayland server w/o this, if it has net access
              )
          );
          allowedPaths = [