From 73afceb8c671da6a4f8eee4d07841bdb7e4d3e6d Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Tue, 13 Feb 2024 10:24:35 +0000
Subject: [PATCH] modules/programs: sandbox: add `whitelistWayland` option

---
 modules/programs/default.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index c3bb9cfd..fb385847 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -71,8 +71,9 @@ let
               (p: path-lib.concat [ xdgRuntimeDir p ])
               (
                 sandbox.extraRuntimePaths
-                ++ lib.optionals sandbox.whitelistDbus [ "bus" ]
                 ++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ]  # also pipewire-0-manager, unknown purpose
+                ++ lib.optionals sandbox.whitelistDbus [ "bus" ]
+                ++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ]  # app can still communicate with wayland server w/o this, if it has net access
               )
           );
           allowedPaths = [
@@ -385,6 +386,14 @@ let
           allow the program full access to whichever directory it was launched from.
         '';
       };
+      sandbox.whitelistWayland = mkOption {
+        type = types.bool;
+        default = true;  #< TODO: harden default!
+        description = ''
+          allow sandbox to communicate with the wayland server.
+          note that this does NOT permit access to compositor admin tooling like `swaymsg`.
+        '';
+      };
 
       sandbox.extraPaths = mkOption {
         type = types.listOf types.str;