programs: remove audio from the sandbox by default

hosts/common/programs/assorted.nix

@@ -223,6 +223,7 @@ in
     # INDIVIDUAL PACKAGE DEFINITIONS
     blanket.sandbox.method = "bwrap";
     blanket.sandbox.wrapperType = "wrappedDerivation";
+    blanket.sandbox.whitelistAudio = true;
 
     brightnessctl.sandbox.method = "bwrap";
     brightnessctl.sandbox.wrapperType = "wrappedDerivation";
@@ -239,6 +240,7 @@ in
     # auth token, preferences
     delfin.sandbox.method = "bwrap";
     delfin.sandbox.wrapperType = "wrappedDerivation";
+    delfin.sandbox.whitelistAudio = true;
     delfin.sandbox.whitelistDri = true;
     delfin.sandbox.net = "clearnet";
     delfin.persist.byStore.private = [ ".config/delfin" ];
@@ -246,6 +248,7 @@ in
     # creds, but also 200 MB of node modules, etc
     discord.sandbox.method = "bwrap";
     discord.sandbox.wrapperType = "inplace";  #< /opt-style packaging
+    discord.sandbox.whitelistAudio = true;
     discord.sandbox.net = "clearnet";
     discord.persist.byStore.private = [ ".config/discord" ];
 
@@ -424,6 +427,7 @@ in
 
     superTux.sandbox.method = "bwrap";
     superTux.sandbox.wrapperType = "wrappedDerivation";
+    superTux.sandbox.whitelistAudio = true;
     superTux.sandbox.whitelistDri = true;
     superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
 
@@ -454,6 +458,7 @@ in
 
     vvvvvv.sandbox.method = "bwrap";
     vvvvvv.sandbox.wrapperType = "wrappedDerivation";
+    vvvvvv.sandbox.whitelistAudio = true;
     vvvvvv.sandbox.whitelistDri = true;  #< playable without, but burns noticably more CPU
     vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
 

hosts/common/programs/audacity.nix

@@ -11,6 +11,7 @@
 
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistAudio = true;
     sandbox.autodetectCliPaths = true;
     sandbox.extraHomePaths = [
       # support media imports via file->open dir to some common media directories

hosts/common/programs/brave.nix

@@ -8,6 +8,7 @@
       "dev"  # for developing anything web-related
       "tmp"
     ];
+    sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
     persist.byStore.cryptClearOnBoot = [
       ".cache/BraveSoftware"

hosts/common/programs/cozy.nix

@@ -4,6 +4,7 @@
   sane.programs.cozy = {
     sandbox.method = "bwrap";  # landlock gives: _multiprocessing.SemLock: Permission Denied
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistAudio = true;
     sandbox.extraHomePaths = [
       "Books"
       "Books/servo"

hosts/common/programs/dino.nix

@@ -48,6 +48,8 @@ in
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
 
     persist.byStore.private = [ ".local/share/dino" ];
 

hosts/common/programs/element-desktop.nix

@@ -10,6 +10,8 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDri = true;
     packageUnwrapped = pkgs.element-desktop.override {
       # use pre-build electron because otherwise it takes 4 hrs to build from source.
       electron = pkgs.electron-bin;

hosts/common/programs/epiphany.nix

@@ -11,6 +11,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
     # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
     # enabling DRI/DRM (as below) seems to fix that.
     sandbox.whitelistDri = true;

hosts/common/programs/firefox.nix

@@ -236,6 +236,7 @@ in
         sandbox.method = "bwrap";  # landlock works, but requires all of /proc to be linked
         sandbox.wrapperType = "inplace";  # probably wrappedDerivation could work too.
         sandbox.net = "all";
+        sandbox.whitelistAudio = true;
         sandbox.extraHomePaths = [
           "dev"  # for developing anything web-related
           "tmp"

hosts/common/programs/fractal.nix

@@ -30,6 +30,7 @@ in
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;  # otherwise video playback buuuuurns CPU
 
     configOption = with lib; mkOption {

hosts/common/programs/frozen-bubble.nix

@@ -5,6 +5,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";  # net play
+    sandbox.whitelistAudio = true;
     packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
       # patch so it stores its dot-files not in root ~.
       postPatch = (upstream.postPatch or "") + ''

hosts/common/programs/g4music.nix

@@ -10,6 +10,7 @@
   sane.programs.g4music = {
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistAudio = true;
     sandbox.extraHomePaths = [
       "Music"
     ];

hosts/common/programs/gtkcord4.nix

@@ -34,6 +34,8 @@ in
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
+    sandbox.whitelistDri = true;
 
     persist.byStore.private = [
       ".cache/gtkcord4"

hosts/common/programs/kdenlive.nix

@@ -11,6 +11,7 @@
       "Videos/servo"
       "tmp"
     ];
+    sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
     packageUnwrapped = pkgs.kdenlive.override {
       ffmpeg-full = pkgs.ffmpeg-full.override {

hosts/common/programs/signal-desktop.nix

@@ -25,6 +25,7 @@ in
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
 
     # creds, media
     persist.byStore.private = [

hosts/common/programs/spot.nix

@@ -4,6 +4,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
     secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
     persist.byStore.plaintext = [
       ".cache/spot/img"  # album art

hosts/common/programs/spotify.nix

@@ -4,6 +4,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # nontraditional package structure, where binaries live in /share/spotify
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
     sandbox.extraConfig = [
       "--sane-sandbox-firejail-arg"
       "--keep-dev-shm"

hosts/common/programs/supertuxkart.nix

@@ -4,6 +4,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";  # net play
+    sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
     persist.byStore.plaintext = [
       ".cache/supertuxkart"

hosts/common/programs/tor-browser.nix

@@ -10,6 +10,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";  # tor over VPN wouldn't make sense
+    sandbox.whitelistAudio = true;
     persist.byStore.cryptClearOnBoot = [
       ".local/share/tor-browser"
     ];

hosts/common/programs/tuba.nix

@@ -4,6 +4,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
     suggestedPrograms = [ "gnome-keyring" ];
   };
 }

hosts/common/programs/vlc.nix

@@ -18,6 +18,7 @@ in
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.autodetectCliPaths = true;
+    sandbox.whitelistAudio = true;
     persist.byStore.private = [
       # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
       # filenames are stored in plaintext (unlike mpv, which i think hashes them)

hosts/common/programs/wike.nix

@@ -4,6 +4,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # share/wike/wike-sp refers back to the binaries and share
     sandbox.net = "clearnet";
+    sandbox.whitelistAudio = true;
     sandbox.extraPaths = [
       # wike sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
       # TODO: these could maybe be mounted empty.

modules/programs/default.nix

@@ -357,7 +357,7 @@ let
       };
       sandbox.whitelistAudio = mkOption {
         type = types.bool;
-        default = true;  #< TODO: harden default!
+        default = false;
         description = ''
           allow sandbox to freely interact with pulse/pipewire.
         '';