colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

firefox: allow webcam access

Browse Source
This commit is contained in:
Colin
2024-09-13 00:02:48 +00:00
parent b9db78a154
commit b43ee23459
4 changed files with 24 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/common/programs/firefox/default.nix
View File

@@ -207,6 +207,7 @@ in
sandbox.method = "bunpen"; sandbox.method = "bunpen";
sandbox.net = "all"; sandbox.net = "all";
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistAvDev = true; #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12)
sandbox.whitelistDbus = [ "user" ]; # mpris sandbox.whitelistDbus = [ "user" ]; # mpris
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [ sandbox.extraHomePaths = [

8
hosts/common/programs/pipewire/default.nix
View File

@@ -69,18 +69,12 @@ in
# ]; # ];
sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
sandbox.keepPidsAndProc = true; #< TODO: why? sandbox.keepPidsAndProc = true; #< TODO: why?
sandbox.whitelistAvDev = true;
sandbox.capabilities = [ sandbox.capabilities = [
# if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
"ipc_lock" "ipc_lock"
"sys_nice" "sys_nice"
]; ];
sandbox.extraPaths = [
"/dev/snd"
# desko/lappy don't need these, but moby complains if not present
"/dev/video0"
"/dev/video1"
"/dev/video2"
];
sandbox.extraHomePaths = [ sandbox.extraHomePaths = [
# pulseaudio cookie # pulseaudio cookie
".config/pulse" ".config/pulse"

8
hosts/common/programs/wireplumber.nix
View File

@@ -12,14 +12,8 @@
# # "user" #< apparently not needed? # # "user" #< apparently not needed?
# ]; # ];
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistAvDev = true; #< i think these video inputs (for e.g. webcam) are optional.
sandbox.extraPaths = [ sandbox.extraPaths = [
# i think these video inputs (for e.g. webcam) are optional.
"/dev/media0"
"/dev/snd"
# vvv video* is for moby
"/dev/video0"
"/dev/video1"
"/dev/video2"
# "/run/systemd" # "/run/systemd"
"/run/udev" "/run/udev"
"/sys/class/sound" "/sys/class/sound"

21
modules/programs/default.nix
View File

@@ -392,6 +392,15 @@ let
allow sandbox to freely interact with pulse/pipewire. allow sandbox to freely interact with pulse/pipewire.
''; '';
}; };
sandbox.whitelistAvDev = mkOption {
type = types.bool;
default = false;
description = ''
allow sandbox to freely interact with raw audio/video devices under /dev,
e.g. /dev/video0, /dev/snd, /dev/v4l/...
pipewire-aware applications shouldn't need this.
'';
};
sandbox.whitelistDbus = mkOption { sandbox.whitelistDbus = mkOption {
type = types.listOf (types.enum [ "user" "system" ]); type = types.listOf (types.enum [ "user" "system" ]);
default = [ ]; default = [ ];
@@ -526,6 +535,18 @@ let
] ]
++ lib.optionals config.sandbox.whitelistX [ "/tmp/.X11-unix" ] ++ lib.optionals config.sandbox.whitelistX [ "/tmp/.X11-unix" ]
++ lib.optionals config.sandbox.keepPidsAndProc [ "/proc" ] ++ lib.optionals config.sandbox.keepPidsAndProc [ "/proc" ]
++ lib.optionals config.sandbox.whitelistAvDev [
"/dev/media0"
"/dev/snd"
"/dev/v4l"
# /dev/videoN is used for webcam on lappy, and camera on moby
"/dev/video0"
"/dev/video1"
"/dev/video2"
# "/sys/class/sound"
# "/sys/class/video4linux"
# "/sys/devices"
]
; ;
sandbox.extraRuntimePaths = sandbox.extraRuntimePaths =
lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok? lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?