programs: sandbox: allow all programs to access media

hopefully this is just a stopgap

modules/programs/default.nix

@@ -40,12 +40,24 @@ let
       let
         makeSandboxed = pkgs.callPackage ./make-sandboxed.nix { sane-sandboxed = config.sane.sandboxHelper; };
         vpn = lib.findSingle (v: v.default) null null (builtins.attrValues config.sane.vpn);
+        # TODO: restrict access to these media paths a bit more.
+        #       maybe mount them user=nobody and restrict based on group?
+        mediaHomePaths = [
+          "Books"
+          "Music"
+          "Pictures"
+          "Videos"
+          "tmp"
+        ];
+        mediaRootPaths = [
+          "/mnt/servo-media"
+        ];
       in
         makeSandboxed {
           inherit pkgName package;
           inherit (sandbox) binMap method;
           vpn = if net == "vpn" then vpn else null;
-          allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath;
+          allowedHomePaths = builtins.attrNames fs ++ builtins.attrNames persist.byPath ++ mediaHomePaths;
           allowedRootPaths = [
             "/nix/store"
             "/etc"  #< especially for /etc/profiles/per-user/$USER/bin
@@ -58,7 +70,7 @@ let
             "/run/opengl-driver-32"
             "/run/user"  #< particularly /run/user/$id/wayland-1, pulse, etc.
             # "/dev/dri"  #< fix non-fatal "libEGL warning: wayland-egl: could not open /dev/dri/renderD128" (geary)
-          ];
+          ] ++ mediaRootPaths;
         }
   );
   pkgSpec = with lib; types.submodule ({ config, name, ... }: {