firefox: allow webcam access

2024-09-13 00:02:48 +00:00
parent b9db78a154
commit b43ee23459
4 changed files with 24 additions and 14 deletions
--- a/hosts/common/programs/firefox/default.nix
+++ b/hosts/common/programs/firefox/default.nix
@@ -207,6 +207,7 @@ in
    sandbox.method = "bunpen";
    sandbox.net = "all";
    sandbox.whitelistAudio = true;
+    sandbox.whitelistAvDev = true;  #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
    sandbox.whitelistDbus = [ "user" ];  # mpris
    sandbox.whitelistWayland = true;
    sandbox.extraHomePaths = [
--- a/hosts/common/programs/pipewire/default.nix
+++ b/hosts/common/programs/pipewire/default.nix
@@ -69,18 +69,12 @@ in
    # ];
    sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
    sandbox.keepPidsAndProc = true;  #< TODO: why?
+    sandbox.whitelistAvDev = true;
    sandbox.capabilities = [
      # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
      "ipc_lock"
      "sys_nice"
    ];
-    sandbox.extraPaths = [
-      "/dev/snd"
-      # desko/lappy don't need these, but moby complains if not present
-      "/dev/video0"
-      "/dev/video1"
-      "/dev/video2"
-    ];
    sandbox.extraHomePaths = [
      # pulseaudio cookie
      ".config/pulse"
--- a/hosts/common/programs/wireplumber.nix
+++ b/hosts/common/programs/wireplumber.nix
@@ -12,14 +12,8 @@
    #   # "user"  #< apparently not needed?
    # ];
    sandbox.whitelistAudio = true;
+    sandbox.whitelistAvDev = true;  #< i think these video inputs (for e.g. webcam) are optional.
    sandbox.extraPaths = [
-      # i think these video inputs (for e.g. webcam) are optional.
-      "/dev/media0"
-      "/dev/snd"
-      # vvv video* is for moby
-      "/dev/video0"
-      "/dev/video1"
-      "/dev/video2"
      # "/run/systemd"
      "/run/udev"
      "/sys/class/sound"
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -392,6 +392,15 @@ let
          allow sandbox to freely interact with pulse/pipewire.
        '';
      };
+      sandbox.whitelistAvDev = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          allow sandbox to freely interact with raw audio/video devices under /dev,
+          e.g. /dev/video0, /dev/snd, /dev/v4l/...
+          pipewire-aware applications shouldn't need this.
+        '';
+      };
      sandbox.whitelistDbus = mkOption {
        type = types.listOf (types.enum [ "user" "system" ]);
        default = [ ];
@@ -526,6 +535,18 @@ let
        ]
        ++ lib.optionals config.sandbox.whitelistX [ "/tmp/.X11-unix" ]
        ++ lib.optionals config.sandbox.keepPidsAndProc [ "/proc" ]
+        ++ lib.optionals config.sandbox.whitelistAvDev [
+          "/dev/media0"
+          "/dev/snd"
+          "/dev/v4l"
+          # /dev/videoN is used for webcam on lappy, and camera on moby
+          "/dev/video0"
+          "/dev/video1"
+          "/dev/video2"
+          # "/sys/class/sound"
+          # "/sys/class/video4linux"
+          # "/sys/devices"
+        ]
      ;
      sandbox.extraRuntimePaths =
        lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ]  # this includes pipewire/pipewire-0-manager: is that ok?