sway: move $WAYLAND_DISPLAY into a subdir to make it easier to sandbox
This commit is contained in:
parent
39de5b84c2
commit
6102a0301d
|
@ -218,7 +218,7 @@ in
|
|||
# TODO: ensure this is reliable? might not work across sway restarts, etc.
|
||||
env.DISPLAY = ":0";
|
||||
# docs: <https://discourse.ubuntu.com/t/environment-variables-for-wayland-hackers/12750>
|
||||
env.WAYLAND_DISPLAY = "wayland-1";
|
||||
env.WAYLAND_DISPLAY = "$XDG_RUNTIME_DIR/wayland/wayland-1";
|
||||
|
||||
services.sway = {
|
||||
description = "sway: tiling wayland desktop environment";
|
||||
|
@ -226,10 +226,23 @@ in
|
|||
command = pkgs.writeShellScript "sway-start" ''
|
||||
# have to create these directories before launching sway so that they're available in the sandbox
|
||||
mkdir -p "$(dirname "$SWAYSOCK")"
|
||||
mkdir -p "$(dirname "$WAYLAND_DISPLAY")"
|
||||
mkdir -p /tmp/.X11-unix # for Xwayland
|
||||
exec sway
|
||||
'';
|
||||
readiness.waitExists = "$SWAYSOCK";
|
||||
# readiness.waitExists = "$SWAYSOCK";
|
||||
readiness.waitCommand = pkgs.writeShellScript "sway-readycheck" ''
|
||||
# wait for sway to create its socket AND its wayland display.
|
||||
# it doesn't know to create the wayland display in the right directory, so have to manually move it socket... bleh.
|
||||
# TODO: socket moving could be more reliable inside of the sway config
|
||||
set -e
|
||||
test -e "$SWAYSOCK"
|
||||
expected_display="$XDG_RUNTIME_DIR/$(basename "$WAYLAND_DISPLAY")"
|
||||
test -e "$expected_display" && test -e "$expected_display.lock"
|
||||
set +e # make only a best-effort to move these; if it fails (because e.g. perms, or destination exists somehow), don't hold up init
|
||||
mv "$expected_display" "$WAYLAND_DISPLAY"
|
||||
mv "$expected_display.lock" "$WAYLAND_DISPLAY.lock"
|
||||
'';
|
||||
};
|
||||
# link the graphical-session into the default target, so sway gets auto-started
|
||||
services.graphical-session.partOf = [ "default" ];
|
||||
|
|
|
@ -72,7 +72,7 @@ let
|
|||
sandbox.extraRuntimePaths
|
||||
++ lib.optionals sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?
|
||||
++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ]
|
||||
++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ] # app can still communicate with wayland server w/o this, if it has net access
|
||||
++ lib.optionals sandbox.whitelistWayland [ "wayland" ] # app can still communicate with wayland server w/o this, if it has net access
|
||||
)
|
||||
);
|
||||
allowedPaths = [
|
||||
|
|
Loading…
Reference in New Issue