40 lines
1.8 KiB
Nix
40 lines
1.8 KiB
Nix
{ ... }:
|
|
{
|
|
sane.programs.xdg-utils = {
|
|
# xdg-open may need to open things with elevated perms, like wireshark.
|
|
# generally, the caller can be trusted to sandbox it.
|
|
# if the caller is sandboxed, it will typically set NIXOS_XDG_OPEN_USE_PORTAL=1,
|
|
# and then xdg-open simply forwards the request to dbus.
|
|
sandbox.enable = false;
|
|
};
|
|
|
|
# sane.programs.xdg-utils = {
|
|
# sandbox.method = "capshonly";
|
|
# sandbox.wrapperType = "wrappedDerivation";
|
|
# # xdg-utils portal interaction: for `xdg-open` to open a file whose handler may require files not in the current sandbox,
|
|
# # we have to use a background service. that's achieved via `xdg-desktop-portal` and the org.freedesktop.portal.OpenURI dbus interface.
|
|
# # so, this `xdg-open` should simply forward all requests to the portal, and the portal may re-invoke xdg-open without that redirection.
|
|
# # -- EXCEPT for if we're invoked by the portal itself.
|
|
# #
|
|
# # note that `xdg-desktop-portal` seems to (inadvertently) only accept requests from applications which *don't* have elevated privileges, hence xdg-open *has* to be sandboxed for this to work.
|
|
# # env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
|
|
# packageUnwrapped = pkgs.xdg-utils.overrideAttrs (base: {
|
|
# postInstall = base.postInstall + ''
|
|
# sed '2i\
|
|
# if ! [ -e ~/.local/share/applications ]; then\
|
|
# NIXOS_XDG_OPEN_USE_PORTAL=1\
|
|
# fi\
|
|
# ' -i "$out"/bin/*
|
|
# '';
|
|
# });
|
|
# };
|
|
|
|
# ensure that any `xdg-open` invocations from within the portal don't recurse.
|
|
# N.B.: use `systemd.user.units...` instead of `systemd.user.services...` because the latter
|
|
# pollutes the PATH for this unit.
|
|
# systemd.user.units."xdg-desktop-portal.service".text = ''
|
|
# [Service]
|
|
# Environment="NIXOS_XDG_OPEN_USE_PORTAL="
|
|
# '';
|
|
}
|