From e2fdf6fe578fba653b6941a6d8c726ac99f60ff8 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 16 Apr 2024 10:05:55 +0200 Subject: [PATCH 1/1] improve DISPLAY env var parsing and factor X11 ode into separate function --- profiles.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/profiles.py b/profiles.py index 18c3116..3152898 100644 --- a/profiles.py +++ b/profiles.py @@ -30,6 +30,15 @@ DEFAULT = group( }), ) +def X11(): + display = os.environ["DISPLAY"].removeprefix(":").split('.')[0] + return host_access({ + "/tmp/.X11-unix/": { + "X"+display: Access.Read, + }, + os.environ["XAUTHORITY"]: Access.Read, + }) + # https://github.com/igo95862/bubblejail is a good source of paths that need allowing. # We do not give access to pipewire, that needs a portal (https://docs.pipewire.org/page_portal.html). def DESKTOP(name): @@ -37,19 +46,16 @@ def DESKTOP(name): DEFAULT, # Share XDG_RUNTIME_DIR among all instances of this sandbox shared_runtime_dir(name), - # Access to screen and audio + # Access to display servers, hardware acceleration, and audio host_access({ "dev": { ("dri", "snd"): Access.Device, }, - "/tmp/.X11-unix/": { - "X"+os.environ["DISPLAY"].removeprefix(":"): Access.Read, - }, - os.environ["XAUTHORITY"]: Access.Read, XDG_RUNTIME_DIR: { (os.environ["WAYLAND_DISPLAY"], "pulse"): Access.Read, }, }), + X11(), # Access to some key user configuration home_access({ (".config/fontconfig", ".XCompose", ".local/share/applications"): Access.Read, -- 2.39.5