don't change hostname, it doesn't work well for GUI apps under Gnome

[bubblebox.git] / profiles.py

diff --git a/profiles.py b/profiles.py
index 3d395c512c6c2630a942fed0b12937bb49ea776d..d2d78413ee8ef36d2e1dcb4b496ba145577cd2c4 100644 (file)
--- a/profiles.py
+++ b/profiles.py
@@ -7,7 +7,8 @@ DEFAULT = group(
   bwrap_flags("--unshare-user", "--unshare-pid", "--unshare-cgroup"),
   # A different hostname is useful to be able to see when we are inside the sandbox.
   # However, some applications will not like this unless the hostname also exists in `/etc/hosts`!
-  bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
+  # Also, gnome-shell doesn't display window icons properly when this is set.
+  #bwrap_flags("--unshare-uts", "--hostname", "bubblebox"),
   # Make sure the sandbox cannot inject commands into the host terminal.
   # TODO: This flag breaks some CLI applications, like job control in shells.
   # Consider using SECCOMP instead.
@@ -56,10 +57,13 @@ def DESKTOP(name):
       },
     }),
     X11(),
-    # Access to some key user configuration
+    # Access to some key user configuration.
+    # We set GSETTINGS_BACKEND to make GTK3 apps use the config file in ~/.config/glib-2.0.
+    # (The "right" solution here is probably the settings portal...)
     home_access({
-      (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
+      (".config/fontconfig", ".config/glib-2.0", ".XCompose", ".local/share/applications"): Access.Read,
     }),
+    bwrap_flags("--setenv", "GSETTINGS_BACKEND", "keyfile"),
     # Access to basic d-bus services (that are hopefully safe to expose...)
     dbus_proxy_flags(
       "--call=org.kde.StatusNotifierWatcher=@/StatusNotifierWatcher",