From b40d2cc2a57f4c986d94eaa84955709a094719f1 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 10 Jan 2025 00:26:47 +0000
Subject: [PATCH] programs: discord: restrict dbus

---
 hosts/common/programs/discord.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hosts/common/programs/discord.nix b/hosts/common/programs/discord.nix
index 93045feed..ed40ae06e 100644
--- a/hosts/common/programs/discord.nix
+++ b/hosts/common/programs/discord.nix
@@ -11,7 +11,11 @@
     persist.byStore.private = [ ".config/discord" ];
     sandbox.wrapperType = "inplace";  #< package contains broken symlinks that my wrapper can't handle
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # needed for xdg-open
+    # sandbox.whitelistDbus.user.own = [ ":*" ];  #< does not own any well-known name
+    sandbox.whitelistPortal = [
+      # "FileChooser"  #< does not use file chooser
+      "OpenURI"
+    ];
     sandbox.whitelistDri = true;  #< required for even basic graphics (e.g. rendering a window)
     sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";