open-in-mpv: sandbox with bwrap

2024-02-15 09:49:03 +00:00 · 2024-02-15 09:49:03 +00:00 · df60be8c61
commit df60be8c61
parent e8b4c36442
1 changed files with 5 additions and 1 deletions
--- a/hosts/common/programs/open-in-mpv.nix
+++ b/hosts/common/programs/open-in-mpv.nix
@ -7,7 +7,7 @@
        (pkgs.fetchpatch {
          # if i want `open-in-mpv 'mpv:///open?...'` to use a different executable than `mpv` (e.g. `xdg-open`),
          # this patch is required.
-          # TODO: upstream (branch: dev-sane)
+          # PR against upstream: <https://github.com/Baldomo/open-in-mpv/pull/26>
          url = "https://git.uninsane.org/colin/open-in-mpv/commit/4d93d5fbdd3baebb6284c517cfe9fec9970c3002.patch";
          name = "open-in-mpv: respect the player's `executable` config";
          hash = "sha256-UkjR58mo4ifqGU2F1YhcJU14gX41XMaXwImbV+v7Tr8=";
@ -15,6 +15,10 @@
      ];
    });

+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistDbus = [ "user" ];  # for xdg-open/portals
+
    # taken from <https://github.com/Baldomo/open-in-mpv>
    fs.".config/open-in-mpv/config.yml".symlink.text = ''
      players: