modules/programs: sandbox: add whitelistWayland option

2024-02-13 10:24:35 +00:00 · 2024-02-13 10:24:35 +00:00 · 73afceb8c6
commit 73afceb8c6
parent 371af5939e
1 changed files with 10 additions and 1 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -71,8 +71,9 @@ let
              (p: path-lib.concat [ xdgRuntimeDir p ])
              (
                sandbox.extraRuntimePaths
-                ++ lib.optionals sandbox.whitelistDbus [ "bus" ]
                ++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ]  # also pipewire-0-manager, unknown purpose
+                ++ lib.optionals sandbox.whitelistDbus [ "bus" ]
+                ++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ]  # app can still communicate with wayland server w/o this, if it has net access
              )
          );
          allowedPaths = [
@ -385,6 +386,14 @@ let
          allow the program full access to whichever directory it was launched from.
        '';
      };
+      sandbox.whitelistWayland = mkOption {
+        type = types.bool;
+        default = true;  #< TODO: harden default!
+        description = ''
+          allow sandbox to communicate with the wayland server.
+          note that this does NOT permit access to compositor admin tooling like `swaymsg`.
+        '';
+      };

      sandbox.extraPaths = mkOption {
        type = types.listOf types.str;