programs: pipewire: sandbox
still need to sandbox wireplumber
This commit is contained in:
parent
ca36fe1b96
commit
890b41f563
|
@ -7,11 +7,26 @@ in
|
|||
sane.programs.pipewire = {
|
||||
suggestedPrograms = [ "wireplumber" ];
|
||||
|
||||
# sandbox.method = "bwrap";
|
||||
# sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
|
||||
# # needs to *create* the various device files, so needs write access to the /run/user/$uid directory itself
|
||||
# # sandbox.extraRuntimePaths = [ "/" ];
|
||||
# sandbox.extraPaths = [ "/" ]; #< TODO: narrow this down
|
||||
sandbox.method = "landlock";
|
||||
# sandbox.method = "bwrap"; #< fails, even with `/` and no namespaces besides user namespace
|
||||
sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
|
||||
# sandbox.net = "all";
|
||||
# sandbox.extraConfig = [
|
||||
# "--sane-sandbox-keep-namespace" "cgroup"
|
||||
# "--sane-sandbox-keep-namespace" "ipc"
|
||||
# "--sane-sandbox-keep-namespace" "pid"
|
||||
# "--sane-sandbox-keep-namespace" "uts"
|
||||
# ];
|
||||
sandbox.usePortal = false;
|
||||
# needs to *create* the various device files, so needs write access to the /run/user/$uid directory itself
|
||||
sandbox.extraRuntimePaths = [ "/" ];
|
||||
sandbox.extraPaths = [
|
||||
"/dev/snd"
|
||||
];
|
||||
sandbox.extraHomePaths = [
|
||||
# pulseaudio cookie
|
||||
".config/pulse"
|
||||
];
|
||||
|
||||
services.pipewire = {
|
||||
description = "pipewire: multimedia service";
|
||||
|
|
Loading…
Reference in New Issue
Block a user