programs: get xdg-open to work from within sandboxes
note that implementation may have a quirk that applications launched via the portal cannot themselves "xdg-open" through the portal, because of the environment variable manipulation. not sure how best to address that.
This commit is contained in:
@@ -447,9 +447,6 @@ in
|
|||||||
|
|
||||||
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
whalebird.persist.byStore.private = [ ".config/Whalebird" ];
|
||||||
|
|
||||||
xdg-utils.sandbox.method = "capshonly";
|
|
||||||
xdg-utils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
|
|
||||||
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
|
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
|
||||||
|
|
||||||
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
|
@@ -91,6 +91,7 @@
|
|||||||
./wireshark.nix
|
./wireshark.nix
|
||||||
./wob.nix
|
./wob.nix
|
||||||
./xarchiver.nix
|
./xarchiver.nix
|
||||||
|
./xdg-utils.nix
|
||||||
./zeal.nix
|
./zeal.nix
|
||||||
./zecwallet-lite.nix
|
./zecwallet-lite.nix
|
||||||
./zsh
|
./zsh
|
||||||
|
21
hosts/common/programs/xdg-utils.nix
Normal file
21
hosts/common/programs/xdg-utils.nix
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
sane.programs.xdg-utils = {
|
||||||
|
sandbox.method = "capshonly";
|
||||||
|
sandbox.wrapperType = "wrappedDerivation";
|
||||||
|
# xdg-utils portal interaction: for `xdg-open` to open a file whose handler may require files not in the current sandbox,
|
||||||
|
# we have to use a background service. that's achieved via `xdg-desktop-portal` and the org.freedesktop.portal.OpenURI dbus interface.
|
||||||
|
# so, this `xdg-open` should simply forward all requests to the portal, and the portal may re-invoke xdg-open without that redirection.
|
||||||
|
#
|
||||||
|
# note that `xdg-desktop-portal` seems to (inadvertently) only accept requests from applications which *don't* have elevated privileges, hence xdg-open *has* to be sandboxed for this to work.
|
||||||
|
env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
|
||||||
|
};
|
||||||
|
|
||||||
|
# ensure that any `xdg-open` invocations from within the portal don't recurse.
|
||||||
|
# N.B.: use `systemd.user.units...` instead of `systemd.user.services...` because the latter
|
||||||
|
# pollutes the PATH for this unit.
|
||||||
|
systemd.user.units."xdg-desktop-portal.service".text = ''
|
||||||
|
[Service]
|
||||||
|
Environment="NIXOS_XDG_OPEN_USE_PORTAL="
|
||||||
|
'';
|
||||||
|
}
|
Reference in New Issue
Block a user