bonsai: sandbox

hosts/common/programs/bonsai.nix

@@ -111,6 +111,11 @@ in
       };
     };
 
+    sandbox.method = "bwrap";
+    sandbox.extraRuntimePaths = [
+      "/"  #< just needs "bonsai", but needs to create it first...
+    ];
+
     services.bonsaid = {
       description = "bonsai: programmable input dispatcher";
       after = [ "graphical-session.target" ];

hosts/common/programs/sane-input-handler/default.nix

@@ -102,7 +102,6 @@ in
       "sway"
       "wvkbd"
     ];
-
     sandbox.method = "bwrap";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  #< to launch applications
@@ -137,6 +136,10 @@ in
   #   };
   # };
 
+  # TODO: duplicated sandboxing here is just ugly
+  sane.programs.bonsai.sandbox = lib.mkIf cfg.enabled (
+    builtins.removeAttrs cfg.sandbox [ "method" ]  #< else infinite recursion
+  );
   sane.programs.bonsai.config.transitions = lib.mkIf cfg.enabled (friendlyToBonsai {
     # map sequences of "events" to an argument to pass to sane-input-handler