From eec89e2cc1f11a33469b497dd67285a79bff550a Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Sat, 27 Jan 2024 15:16:53 +0000
Subject: [PATCH] librewolf: sandbox with bwrap

---
 hosts/common/programs/libreoffice.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hosts/common/programs/libreoffice.nix b/hosts/common/programs/libreoffice.nix
index c42f95ade..77e0ff20e 100644
--- a/hosts/common/programs/libreoffice.nix
+++ b/hosts/common/programs/libreoffice.nix
@@ -6,6 +6,16 @@
     # packageUnwrapped = pkgs.libreoffice-bin;
     # packageUnwrapped = pkgs.libreoffice-still;
     packageUnwrapped = pkgs.libreoffice-fresh;
+    sandbox.method = "bwrap";
+    sandbox.extraConfig = [
+      "--sane-sandbox-autodetect"
+    ];
+    sandbox.extraHomePaths = [
+      # allow a spot to save files.
+      # with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,
+      # easy to shoot yourself in the foot!
+      "tmp"
+    ];
 
     slowToBuild = true;