diff --git a/hardening/nixpaks/firefox.nix b/hardening/nixpaks/firefox.nix
index 2d68b7de..f2a25872 100644
--- a/hardening/nixpaks/firefox.nix
+++ b/hardening/nixpaks/firefox.nix
@@ -34,20 +34,6 @@ let
           ./modules/common.nix
         ];
 
-        # list all dbus services:
-        #   ls -al /run/current-system/sw/share/dbus-1/services/
-        #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
-        dbus.policies = {
-          "org.mozilla.firefox.*" = "own"; # firefox
-          "org.mozilla.firefox_beta.*" = "own"; # firefox beta
-          "org.mpris.MediaPlayer2.firefox.*" = "own";
-
-          "org.gnome.Shell.Screencast" = "talk";
-          # System tray icon
-          "org.freedesktop.Notifications" = "talk";
-          "org.kde.StatusNotifierWatcher" = "talk";
-        };
-
         bubblewrap = {
           # To trace all the home files Firefox accesses, you can use the following nushell command:
           #   just trace-access firefox
@@ -61,6 +47,7 @@ let
             sloth.xdgDownloadDir
             sloth.xdgMusicDir
             sloth.xdgVideosDir
+            sloth.xdgPicturesDir
           ];
           bind.ro = [
             "/sys/bus/pci"
diff --git a/hardening/nixpaks/modules/common.nix b/hardening/nixpaks/modules/common.nix
index d2ca4f18..f80f8ac5 100644
--- a/hardening/nixpaks/modules/common.nix
+++ b/hardening/nixpaks/modules/common.nix
@@ -1,5 +1,6 @@
 # https://github.com/mnixry/nixos-config/blob/74913c2b90d06e31170bbbaa0074f915721da224/desktop/packages/nixpaks-common.nix
 # https://github.com/Kraftland/portable/blob/09c4a4227538a3f42de208a6ecbdc938ac9c00dd/portable.sh
+# https://flatpak.github.io/xdg-desktop-portal/docs/api-reference.html
 {
   lib,
   sloth,
@@ -11,6 +12,9 @@ let
 in
 {
   config = {
+    # list all dbus services:
+    #   ls -al /run/current-system/sw/share/dbus-1/services/
+    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
     dbus = {
       # `--see`: The bus name can be enumerated by the application.
       # `--talk`: The application can send messages to, and receive replies and signals from, the bus name.
@@ -41,6 +45,7 @@ in
         "org.freedesktop.FileManager1" = "talk";
         "org.freedesktop.Notifications" = "talk";
         "org.kde.StatusNotifierWatcher" = "talk";
+        "org.gnome.Shell.Screencast" = "talk";
 
         # --- Accessibility (a11y) 无障碍服务 ---
         "org.a11y.Bus" = "see";
diff --git a/hardening/nixpaks/qq.nix b/hardening/nixpaks/qq.nix
index d186bfd7..a02a1f4c 100644
--- a/hardening/nixpaks/qq.nix
+++ b/hardening/nixpaks/qq.nix
@@ -31,19 +31,6 @@ let
           ./modules/common.nix
         ];
 
-        # list all dbus services:
-        #   ls -al /run/current-system/sw/share/dbus-1/services/
-        #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
-        dbus.policies = {
-          "org.gnome.Shell.Screencast" = "talk";
-          # System tray icon
-          "org.freedesktop.Notifications" = "talk";
-          "org.kde.StatusNotifierWatcher" = "talk";
-          # File Manager
-          "org.freedesktop.FileManager1" = "talk";
-          # Uses legacy StatusNotifier implementation
-          "org.kde.*" = "own";
-        };
         bubblewrap = {
           # To trace all the home files QQ accesses, you can use the following nushell command:
           #   just trace-access qq
@@ -53,6 +40,7 @@ let
             sloth.xdgDownloadDir
             sloth.xdgMusicDir
             sloth.xdgVideosDir
+            sloth.xdgPicturesDir
           ];
           sockets = {
             x11 = false;
diff --git a/hardening/nixpaks/telegram-desktop.nix b/hardening/nixpaks/telegram-desktop.nix
index 1f9445d5..01ff6450 100644
--- a/hardening/nixpaks/telegram-desktop.nix
+++ b/hardening/nixpaks/telegram-desktop.nix
@@ -24,10 +24,6 @@ let
         dbus = {
           enable = true;
           policies = {
-            "org.gnome.Mutter.IdleMonitor" = "talk";
-            "org.freedesktop.Notifications" = "talk";
-            "org.kde.StatusNotifierWatcher" = "talk";
-            "com.canonical.AppMenu.Registrar" = "talk";
             "com.canonical.indicator.application" = "talk";
             "org.ayatana.indicator.application" = "talk";
             "org.sigxcpu.Feedback" = "talk";
@@ -40,6 +36,7 @@ let
             sloth.xdgDownloadDir
             sloth.xdgMusicDir
             sloth.xdgVideosDir
+            sloth.xdgPicturesDir
           ];
           sockets = {
             x11 = false;
diff --git a/modules/nixos/base/networking/misc.nix b/modules/nixos/base/networking/misc.nix
index 62f9d085..b60f40a5 100644
--- a/modules/nixos/base/networking/misc.nix
+++ b/modules/nixos/base/networking/misc.nix
@@ -8,9 +8,4 @@
   # dynamically update /etc/hosts for testing
   # Note that changes made in this way will be discarded when switching configurations.
   environment.etc.hosts.mode = "0644";
-
-  networking.hosts."127.0.0.1" = [
-    # Block this domain to prevent QQ from auto-updating.
-    "qqpatch.gtimg.cn"
-  ];
 }