programs: sandbox: allow all programs to access media

hopefully this is just a stopgap
2024-01-23 11:36:58 +00:00 · 2024-01-23 11:36:58 +00:00 · 98dfc3aa5a
commit 98dfc3aa5a
parent 27b56b1a12
1 changed files with 14 additions and 2 deletions
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -40,12 +40,24 @@ let
      let
        makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
        vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
+        # TODO: restrict access to these media paths a bit more.
+        #       maybe mount them user=nobody and restrict based on group?
+        mediaHomePaths = [
+          "Books"
+          "Music"
+          "Pictures"
+          "Videos"
+          "tmp"
+        ];
+        mediaRootPaths = [
+          "/mnt/servo-media"
+        ];
      in
        makeSandboxed {
          inherit pkgName package;
          inherit (sandbox) binMap method;
          vpn = if net == "vpn" then vpn else null;
-          allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath;
+          allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ mediaHomePaths;
          allowedRootPaths = [
            "/nix/store"
            "/etc"  #< especially for /etc/profiles/per-user/$USER/bin
@ -58,7 +70,7 @@ let
            "/run/opengl-driver-32"
            "/run/user"  #< particularly /run/user/$id/wayland-1, pulse, etc.
            # "/dev/dri"  #< fix non-fatal "libEGL warning: wayland-egl: could not open /dev/dri/renderD128" (geary)
-          ];
+          ] ++ mediaRootPaths;
        }
  );
  pkgSpec = with lib; types.submodule ({ config, name, ... }: {