From db6ba61429dfb05db493356c3313ee4b8749d615 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 29 Jan 2024 13:45:57 +0000
Subject: [PATCH] programs: sandbox more apps with
 wrapperType=wrappedDerivation

---
 hosts/common/programs/animatch.nix        | 1 +
 hosts/common/programs/dialect.nix         | 1 +
 hosts/common/programs/dino.nix            | 1 +
 hosts/common/programs/element-desktop.nix | 1 +
 hosts/common/programs/epiphany.nix        | 1 +
 hosts/common/programs/fractal.nix         | 1 +
 hosts/common/programs/g4music.nix         | 1 +
 hosts/common/programs/geary.nix           | 1 +
 hosts/common/programs/go2tv.nix           | 1 +
 hosts/common/programs/imagemagick.nix     | 1 +
 hosts/common/programs/neovim.nix          | 1 +
 hosts/common/programs/signal-desktop.nix  | 1 +
 hosts/common/programs/spot.nix            | 1 +
 hosts/common/programs/spotify.nix         | 1 +
 hosts/common/programs/tor-browser.nix     | 1 +
 hosts/common/programs/tuba.nix            | 1 +
 hosts/common/programs/vlc.nix             | 1 +
 hosts/common/programs/wike.nix            | 1 +
 18 files changed, 18 insertions(+)

diff --git a/hosts/common/programs/animatch.nix b/hosts/common/programs/animatch.nix
index d8978be09..ed0de7383 100644
--- a/hosts/common/programs/animatch.nix
+++ b/hosts/common/programs/animatch.nix
@@ -30,6 +30,7 @@
       });
     };
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     persist.byStore.plaintext = [
       # ".config/Holy Pangolin/Animatch"  #< used for SuperDerpy config (e.g. debug, disableTouch, fullscreen, enable sound, etc). SuperDerpy.ini
       ".local/share/Holy Pangolin/Animatch"  #< used for game state (level clears). SuperDerpy.ini
diff --git a/hosts/common/programs/dialect.nix b/hosts/common/programs/dialect.nix
index febb799ca..852c96bcf 100644
--- a/hosts/common/programs/dialect.nix
+++ b/hosts/common/programs/dialect.nix
@@ -2,6 +2,7 @@
 {
   sane.programs.dialect = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  # share/search_providers/ calls back into the binary, weird wrap semantics
     sandbox.extraHomePaths = [
       ".config/dconf"  # to persist settings
     ];
diff --git a/hosts/common/programs/dino.nix b/hosts/common/programs/dino.nix
index 6016e8c2f..ed3e46559 100644
--- a/hosts/common/programs/dino.nix
+++ b/hosts/common/programs/dino.nix
@@ -46,6 +46,7 @@ in
     };
 
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
 
     persist.byStore.private = [ ".local/share/dino" ];
 
diff --git a/hosts/common/programs/element-desktop.nix b/hosts/common/programs/element-desktop.nix
index b95b73ab9..0fbc76513 100644
--- a/hosts/common/programs/element-desktop.nix
+++ b/hosts/common/programs/element-desktop.nix
@@ -8,6 +8,7 @@
 {
   sane.programs.element-desktop = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     packageUnwrapped = pkgs.element-desktop.override {
       # use pre-build electron because otherwise it takes 4 hrs to build from source.
       electron = pkgs.electron-bin;
diff --git a/hosts/common/programs/epiphany.nix b/hosts/common/programs/epiphany.nix
index c561daff4..6a886c085 100644
--- a/hosts/common/programs/epiphany.nix
+++ b/hosts/common/programs/epiphany.nix
@@ -9,6 +9,7 @@
 {
   sane.programs.epiphany = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec
     sandbox.extraConfig = [
       # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
       # enabling DRM (as below) seems to fix that.
diff --git a/hosts/common/programs/fractal.nix b/hosts/common/programs/fractal.nix
index d45b81a58..38ea80227 100644
--- a/hosts/common/programs/fractal.nix
+++ b/hosts/common/programs/fractal.nix
@@ -28,6 +28,7 @@ in
     # packageUnwrapped = pkgs.fractal-next;
 
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
 
     configOption = with lib; mkOption {
       default = {};
diff --git a/hosts/common/programs/g4music.nix b/hosts/common/programs/g4music.nix
index f739ddbd0..467e34693 100644
--- a/hosts/common/programs/g4music.nix
+++ b/hosts/common/programs/g4music.nix
@@ -9,6 +9,7 @@
 {
   sane.programs.g4music = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.extraHomePaths = [
       "Music"
     ];
diff --git a/hosts/common/programs/geary.nix b/hosts/common/programs/geary.nix
index 5cca3f220..f9a30f709 100644
--- a/hosts/common/programs/geary.nix
+++ b/hosts/common/programs/geary.nix
@@ -20,6 +20,7 @@ in
     };
 
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.extraPaths = [
       # geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
       # TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.
diff --git a/hosts/common/programs/go2tv.nix b/hosts/common/programs/go2tv.nix
index a57c6a8ab..3d2047003 100644
--- a/hosts/common/programs/go2tv.nix
+++ b/hosts/common/programs/go2tv.nix
@@ -34,6 +34,7 @@ in
 {
   sane.programs.go2tv = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.autodetectCliPaths = true;
     # for GUI invocation, allow the common media directories
     sandbox.extraHomePaths = [
diff --git a/hosts/common/programs/imagemagick.nix b/hosts/common/programs/imagemagick.nix
index baa04d4c9..9d30a795b 100644
--- a/hosts/common/programs/imagemagick.nix
+++ b/hosts/common/programs/imagemagick.nix
@@ -2,6 +2,7 @@
 {
   sane.programs.imagemagick = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistPwd = true;
     sandbox.autodetectCliPaths = true;  #< arg formatting is complicated enough that this won't always work.
     packageUnwrapped = pkgs.imagemagick.override {
diff --git a/hosts/common/programs/neovim.nix b/hosts/common/programs/neovim.nix
index ff31deb5a..317c0c3d6 100644
--- a/hosts/common/programs/neovim.nix
+++ b/hosts/common/programs/neovim.nix
@@ -87,6 +87,7 @@ in
 {
   sane.programs.neovim = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.autodetectCliPaths = true;
     # sandbox.whitelistPwd = true;
     sandbox.extraHomePaths = [
diff --git a/hosts/common/programs/signal-desktop.nix b/hosts/common/programs/signal-desktop.nix
index 4e9e8e6d2..25fad28ff 100644
--- a/hosts/common/programs/signal-desktop.nix
+++ b/hosts/common/programs/signal-desktop.nix
@@ -23,6 +23,7 @@ in
 
     packageUnwrapped = pkgs.signal-desktop-from-src;
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
 
     # creds, media
     persist.byStore.private = [
diff --git a/hosts/common/programs/spot.nix b/hosts/common/programs/spot.nix
index afbdcb0cc..50e9445f8 100644
--- a/hosts/common/programs/spot.nix
+++ b/hosts/common/programs/spot.nix
@@ -2,6 +2,7 @@
 {
   sane.programs.spot = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
     persist.byStore.plaintext = [
       ".cache/spot/img"  # album art
diff --git a/hosts/common/programs/spotify.nix b/hosts/common/programs/spotify.nix
index 8e6cfa19e..2b79bea9f 100644
--- a/hosts/common/programs/spotify.nix
+++ b/hosts/common/programs/spotify.nix
@@ -2,6 +2,7 @@
 {
   sane.programs.spotify = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  # nontraditional package structure, where binaries live in /share/spotify
     sandbox.extraConfig = [
       "--sane-sandbox-firejail-arg"
       "--keep-dev-shm"
diff --git a/hosts/common/programs/tor-browser.nix b/hosts/common/programs/tor-browser.nix
index fa9133ddc..9db6654fa 100644
--- a/hosts/common/programs/tor-browser.nix
+++ b/hosts/common/programs/tor-browser.nix
@@ -8,6 +8,7 @@
     #   useHardenedMalloc = false;
     # };
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     persist.byStore.cryptClearOnBoot = [
       ".local/share/tor-browser"
     ];
diff --git a/hosts/common/programs/tuba.nix b/hosts/common/programs/tuba.nix
index d79c87381..31347b5f2 100644
--- a/hosts/common/programs/tuba.nix
+++ b/hosts/common/programs/tuba.nix
@@ -2,6 +2,7 @@
 {
   sane.programs.tuba = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     suggestedPrograms = [ "gnome-keyring" ];
   };
 }
diff --git a/hosts/common/programs/vlc.nix b/hosts/common/programs/vlc.nix
index 4b297af31..f8d9ca64c 100644
--- a/hosts/common/programs/vlc.nix
+++ b/hosts/common/programs/vlc.nix
@@ -11,6 +11,7 @@ in
 {
   sane.programs.vlc = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.autodetectCliPaths = true;
     persist.byStore.private = [
       # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
diff --git a/hosts/common/programs/wike.nix b/hosts/common/programs/wike.nix
index 6b56099e8..52ec6951a 100644
--- a/hosts/common/programs/wike.nix
+++ b/hosts/common/programs/wike.nix
@@ -2,6 +2,7 @@
 {
   sane.programs.wike = {
     sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";  # share/wike/wike-sp refers back to the binaries and share
     sandbox.extraPaths = [
       # wike sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
       # TODO: these could maybe be mounted empty.