programs/epiphany: fix so it launches again (had an overly restrictive bunpen sandbox, after i enabled webkit sandboxing)

2025-03-25 15:25:16 +00:00
parent 662525d159
commit 7169193cc4
1 changed files with 20 additions and 11 deletions
--- a/hosts/common/programs/epiphany.nix
+++ b/hosts/common/programs/epiphany.nix
@@ -14,17 +14,19 @@
    sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
    sandbox.net = "clearnet";
    sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus.user.own = [ "org.gnome.Epiphany" ];
-    sandbox.whitelistPortal = [
-      # these are all speculative
-      "Camera"
-      "FileChooser"
-      "Location"
-      "OpenURI"
-      "Print"
-      "ProxyResolver"  #< required else it doesn't load websites
-      "ScreenCast"
-    ];
+    sandbox.whitelistDbus.user = true;  #< TODO: reduce. requires to support nested dbus proxy though.
+    # sandbox.whitelistDbus.user.own = [ "org.gnome.Epiphany" ];
+    # sandbox.whitelistPortal = [
+    #   # these are all speculative
+    #   "Camera"
+    #   "FileChooser"
+    #   "Location"
+    #   "OpenURI"
+    #   "Print"
+    #   "ProxyResolver"  #< required else it doesn't load websites
+    #   "ScreenCast"
+    # ];
+
    # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
    # enabling DRI/DRM (as below) seems to fix that.
    sandbox.whitelistDri = true;
@@ -33,6 +35,13 @@
      ".config/epiphany"  #< else it gets angry at launch
      "tmp"
    ];
+    sandbox.extraPaths = [
+      # epiphany sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
+      # TODO: these could maybe be mounted empty.
+      "/sys/block"
+      "/sys/bus"
+      "/sys/class"
+    ];

    buildCost = 2;