programs: handbrake: sandbox with bwrap

2024-02-05 22:28:15 +00:00 · 2024-02-05 22:28:15 +00:00 · 6eb2a3d67f
commit 6eb2a3d67f
parent ddc41bc9d8
1 changed files with 14 additions and 0 deletions
--- a/hosts/common/programs/handbrake.nix
+++ b/hosts/common/programs/handbrake.nix
@ -1,6 +1,20 @@
 { pkgs, ... }:
 {
  sane.programs.handbrake = {
+    sandbox.method = "bwrap";  #< landlock would be better (prevents output to tmp dirs), but needs work for /mnt/servo-media to function.
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures"  # i have some videos in there too.
+      "Videos"
+      "tmp"
+    ];
+    sandbox.extraPaths = [
+      "/mnt/servo-media/Pictures"
+      "/mnt/servo-media/Videos"
+    ];
+    sandbox.autodetectCliPaths = true;
+
    # disable expensive sambda dependency; i don't use it.
    packageUnwrapped = pkgs.handbrake.override {
      ffmpeg_5-full = pkgs.ffmpeg_5-full.override {