# https://github.com/igo95862/bubblejail is a good source of paths that need allowing.
# We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html).
-DESKTOP = collect_flags(
- # Access to screen and audio
- host_access({
- "dev": {
- ("dri", "snd"): Access.Device,
- },
- "/tmp/.X11-unix/": Access.Read,
- os.environ["XAUTHORITY"]: Access.Read,
- XDG_RUNTIME_DIR: {
- ("wayland*", "pulse"): Access.Read,
- },
- }),
- # Access to some key user configuration
- home_access({
- (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
- }),
- # Access to basic d-bus services (that are hopefully safe to expose...)
- dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),
- # Make it possible to open websites in Firefox
- home_access({ ".mozilla/firefox/profiles.ini": Access.Read }),
- dbus_proxy_flags("--talk=org.mozilla.firefox.*"),
-)
+def DESKTOP(name):
+ return collect_flags(
+ DEFAULT,
+ # Share XDG_RUNTIME_DIR among all instances of this sandbox
+ shared_runtime_dir(name),
+ # Access to screen and audio
+ host_access({
+ "dev": {
+ ("dri", "snd"): Access.Device,
+ },
+ "/tmp/.X11-unix/": Access.Read,
+ os.environ["XAUTHORITY"]: Access.Read,
+ XDG_RUNTIME_DIR: {
+ ("wayland*", "pulse"): Access.Read,
+ },
+ }),
+ # Access to some key user configuration
+ home_access({
+ (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read,
+ }),
+ # Access to basic d-bus services (that are hopefully safe to expose...)
+ dbus_proxy_flags("--talk=org.kde.StatusNotifierWatcher.*", "--talk=org.freedesktop.Notifications.*", "--talk=org.freedesktop.ScreenSaver.*", "--talk=org.freedesktop.portal.*"),
+ # Make it possible to open websites in Firefox
+ home_access({ ".mozilla/firefox/profiles.ini": Access.Read }),
+ dbus_proxy_flags("--talk=org.mozilla.firefox.*"),
+ )
projects / bubblebox.git / blobdiff