librewolf: sandbox with bwrap

2024-01-27 15:16:53 +00:00
parent d69d8f64f3
commit eec89e2cc1
1 changed files with 10 additions and 0 deletions
--- a/hosts/common/programs/libreoffice.nix
+++ b/hosts/common/programs/libreoffice.nix
@@ -6,6 +6,16 @@
    # packageUnwrapped = pkgs.libreoffice-bin;
    # packageUnwrapped = pkgs.libreoffice-still;
    packageUnwrapped = pkgs.libreoffice-fresh;
+    sandbox.method = "bwrap";
+    sandbox.extraConfig = [
+      "--sane-sandbox-autodetect"
+    ];
+    sandbox.extraHomePaths = [
+      # allow a spot to save files.
+      # with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,
+      # easy to shoot yourself in the foot!
+      "tmp"
+    ];

    slowToBuild = true;