From 890b41f563b0cc90c8fc0af31a6a810071b8d416 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sun, 25 Feb 2024 14:34:11 +0000
Subject: [PATCH] programs: pipewire: sandbox

still need to sandbox wireplumber
---
 hosts/common/programs/pipewire.nix | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/hosts/common/programs/pipewire.nix b/hosts/common/programs/pipewire.nix
index 16b9eecb..948229ad 100644
--- a/hosts/common/programs/pipewire.nix
+++ b/hosts/common/programs/pipewire.nix
@@ -7,11 +7,26 @@ in
   sane.programs.pipewire = {
     suggestedPrograms = [ "wireplumber" ];
 
-    # sandbox.method = "bwrap";
-    # sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
-    # # needs to *create* the various device files, so needs write access to the /run/user/$uid directory itself
-    # # sandbox.extraRuntimePaths = [ "/" ];
-    # sandbox.extraPaths = [ "/" ];  #< TODO: narrow this down
+    sandbox.method = "landlock";
+    # sandbox.method = "bwrap";  #< fails, even with `/` and no namespaces besides user namespace
+    sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
+    # sandbox.net = "all";
+    # sandbox.extraConfig = [
+    #   "--sane-sandbox-keep-namespace" "cgroup"
+    #   "--sane-sandbox-keep-namespace" "ipc"
+    #   "--sane-sandbox-keep-namespace" "pid"
+    #   "--sane-sandbox-keep-namespace" "uts"
+    # ];
+    sandbox.usePortal = false;
+    # needs to *create* the various device files, so needs write access to the /run/user/$uid directory itself
+    sandbox.extraRuntimePaths = [ "/" ];
+    sandbox.extraPaths = [
+      "/dev/snd"
+    ];
+    sandbox.extraHomePaths = [
+      # pulseaudio cookie
+      ".config/pulse"
+    ];
 
     services.pipewire = {
       description = "pipewire: multimedia service";