programs: pipewire: sandbox

still need to sandbox wireplumber

hosts/common/programs/pipewire.nix

@@ -7,11 +7,26 @@ in
   sane.programs.pipewire = {
     suggestedPrograms = [ "wireplumber" ];
 
-    # sandbox.method = "bwrap";
-    # sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
-    # # needs to *create* the various device files, so needs write access to the /run/user/$uid directory itself
-    # # sandbox.extraRuntimePaths = [ "/" ];
-    # sandbox.extraPaths = [ "/" ];  #< TODO: narrow this down
+    sandbox.method = "landlock";
+    # sandbox.method = "bwrap";  #< fails, even with `/` and no namespaces besides user namespace
+    sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
+    # sandbox.net = "all";
+    # sandbox.extraConfig = [
+    #   "--sane-sandbox-keep-namespace" "cgroup"
+    #   "--sane-sandbox-keep-namespace" "ipc"
+    #   "--sane-sandbox-keep-namespace" "pid"
+    #   "--sane-sandbox-keep-namespace" "uts"
+    # ];
+    sandbox.usePortal = false;
+    # needs to *create* the various device files, so needs write access to the /run/user/$uid directory itself
+    sandbox.extraRuntimePaths = [ "/" ];
+    sandbox.extraPaths = [
+      "/dev/snd"
+    ];
+    sandbox.extraHomePaths = [
+      # pulseaudio cookie
+      ".config/pulse"
+    ];
 
     services.pipewire = {
       description = "pipewire: multimedia service";