From ec816311f93fd4a9453efa51ec45297f94040cfe Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Fri, 10 Jan 2025 01:56:25 +0000
Subject: [PATCH] programs: dino: restrict dbus

---
 hosts/common/programs/dino.nix | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/hosts/common/programs/dino.nix b/hosts/common/programs/dino.nix
index 090bed543..51c5acfe4 100644
--- a/hosts/common/programs/dino.nix
+++ b/hosts/common/programs/dino.nix
@@ -58,14 +58,22 @@ in
       webrtc-audio-processing = null;
     };
 
-    suggestedPrograms = [
-      "gnome-keyring"
-    ];
+    # suggestedPrograms = [
+    #   "gnome-keyring"
+    # ];
 
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    sandbox.whitelistDbus.user = true;  #< TODO: reduce  # notifications
+    # sandbox.whitelistDbus.user.call."org.freedesktop.secrets" = "*";  #< apparently not needed?
+    sandbox.whitelistDbus.user.own = [ "im.dino.Dino" ];
     sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
+    sandbox.whitelistSendNotifications = true;
+    sandbox.whitelistPortal = [
+      # "FileChooser"
+      # "NetworkMonitor"  #< stderr message if omitted, but non-fatal
+      "OpenURI"
+      "ProxyResolver"  #< REQUIRED, else all peers will appear offline & messages can't be sent/received
+    ];
     sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"