megapixels: sandbox

it's iffy... 1.8.0 is released, which can be sandboxed w/o sys/dev/char or ~/.local/share/applications, but seems to be even flakier
2024-02-18 17:44:49 +00:00 · 2024-02-18 17:44:49 +00:00 · 7e5eb6324d
commit 7e5eb6324d
parent 95cb5624ca
1 changed files with 29 additions and 2 deletions
--- a/hosts/common/programs/megapixels.nix
+++ b/hosts/common/programs/megapixels.nix
@ -1,20 +1,47 @@
 { ... }:
 {
  sane.programs.megapixels = {
-    sandbox.method = "bwrap";
+    # megapixels sandboxing is tough:
+    # if misconfigured, preview will alternately be OK, black, or only 1/4 of it will be rendered -- with no obvious pattern.
+    # adding all of ~ to the sandbox will sometimes (?) fix the flakiness, even when `strace` doesn't show it accessing any files...
+    # it might just be that megapixels is sensitive to low perf. e.g. it's racy
+    #
+    # further, it doesn't use either portals or xdg-open to launch the image viewer.
+    # bwrap (loupe image viewer) doesn't like to run inside landlock
+    #   "bwrap: failed to make / slave: Operation not permitted"
+    sandbox.method = "landlock";  # supports landlock or bwrap
    sandbox.wrapperType = "wrappedDerivation";
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
+    sandbox.whitelistDbus = [ "user" ];  #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
    sandbox.extraHomePaths = [
+      # ".config/megapixels"
+      # ".config/xcb"
+      # ".xcb"
+      ".config/dconf"  #< not sure if necessary
+      ".local/share/applications"  #< 1.7.0 would hang on launch without .desktop files, seems fixed in 1.8.0
+      # ".local/share/icons"
+      # ".icons"  #< actually needed!
+      # ".themes"
+      # ".nix-profile"
+      ".cache/mesa_shader_cache"  # loads way faster
      "tmp"
      "Pictures"
+      # also it addresses a lot via relative path.
    ];
    sandbox.extraPaths = [
      # needs /dev/media*, /dev/video*; easier to give it all of /dev which isn't that bad since it's not running as root.
      "/dev"
      # it passes the raw .dng files to a post-processor, via /tmp
      "/tmp"
+      "/sys/class/leds"  #< for flash, presumably
+      "/sys/dev/char"  #< not strictly necessary? but referenced in the source (for 1.7.0, not 1.8.0)
+      "/sys/devices"
+      "/sys/firmware"
+      # source code also expects /proc/device-tree/compatible
+    ];
+    sandbox.extraRuntimePaths = [
+      "dconf"  #< else it's very spammy, and slow
    ];
-    # TODO: surely needs access to the camera device, etc.
  };
 }