projects / bubblebox.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
provide some non-default settings to GTK3 apps
[bubblebox.git] / profiles.py
diff --git a/profiles.py b/profiles.py
index 18c3116517f828a71b8e2d8ecf0d477bcb775d9b..57dc01000a5d2aaecdc511cc6d49068f47daa7e6 100644 (file)
--- a/profiles.py
+++ b/profiles.py
@@ -30,33 +30,48 @@ DEFAULT = group(
   }),
 )
 
-# https://github.com/igo95862/bubblejail is a good source of paths that need allowing.
+def X11():
+  display = os.environ["DISPLAY"].removeprefix(":").split('.')[0]
+  return host_access({
+      "/tmp/.X11-unix/": {
+        "X"+display: Access.Read,
+      },
+      os.environ["XAUTHORITY"]: Access.Read,
+  })
+
+# https://github.com/igo95862/bubblejail/blob/master/src/bubblejail/services.py is a good source of paths that need allowing.
 # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
 def DESKTOP(name):
   return group(
     DEFAULT,
     # Share XDG_RUNTIME_DIR among all instances of this sandbox
     shared_runtime_dir(name),
-    # Access to screen and audio
+    # Access to display servers, hardware acceleration, and audio
     host_access({
       "dev": {
         ("dri", "snd"): Access.Device,
       },
-      "/tmp/.X11-unix/": {
-        "X"+os.environ["DISPLAY"].removeprefix(":"): Access.Read,
-      },
-      os.environ["XAUTHORITY"]: Access.Read,
       XDG_RUNTIME_DIR: {
         (os.environ["WAYLAND_DISPLAY"], "pulse"): Access.Read,
       },
     }),
-    # Access to some key user configuration
+    X11(),
+    # Access to some key user configuration.
+    # We set GSETTINGS_BACKEND to make GTK3 apps use the config file in ~/.config/glib-2.0.
+    # (The "right" solution here is probably the settings portal...)
     home_access({
-      (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
+      (".config/fontconfig", ".config/glib-2.0", ".XCompose", ".local/share/applications"): Access.Read,
     }),
+    bwrap_flags("--setenv", "GSETTINGS_BACKEND", "keyfile"),
     # Access to basic d-bus services (that are hopefully safe to expose...)
-    dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),
+    dbus_proxy_flags(
+      "--call=org.kde.StatusNotifierWatcher=@/StatusNotifierWatcher",
+      "--call=org.freedesktop.Notifications=@/org/freedesktop/Notifications",
+      "--call=org.freedesktop.ScreenSaver=@/org/freedesktop/ScreenSaver",
+      "--call=org.freedesktop.ScreenSaver=@/ScreenSaver",
+      "--talk=org.freedesktop.portal.*",
+    ),
     # Make it possible to open websites in Firefox
     home_access({ ".mozilla/firefox/profiles.ini": Access.Read }),
-    dbus_proxy_flags("--talk=org.mozilla.firefox.*"),
+    dbus_proxy_flags("--call=org.mozilla.firefox.*=@/org/mozilla/firefox/Remote"),
   )
Simple Application Sandboxing