feat(hardening/nixpaks): adjust app's direcotry permission

hardening/nixpaks/firefox.nix

@@ -45,10 +45,11 @@ mkNixPak {
         # NOTE: sloth.mkdir is used to create the directory if it does not exist!
         (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla"))
 
-        sloth.xdgDownloadDir
         # ================ for externsions ===============================
         # required by https://github.com/browserpass/browserpass-extension
         (sloth.concat' sloth.homeDir "/.local/share/password-store") # pass
+        sloth.xdgDownloadDir
+        sloth.xdgDocumentsDir
       ];
       bind.ro = [
         # To actually make Firefox run

hardening/nixpaks/qq.nix

@@ -41,7 +41,8 @@ mkNixPak {
         # given the read write permission to the following directories.
         # NOTE: sloth.mkdir is used to create the directory if it does not exist!
         (sloth.mkdir (sloth.concat [sloth.xdgConfigHome "/QQ"]))
-        (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/QQ"]))
+        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/QQ"]))
+        sloth.xdgDownloadDir
       ];
       sockets = {
         x11 = false;

hardening/nixpaks/wechat-uos.nix

@@ -48,7 +48,7 @@ mkNixPak {
         (sloth.mkdir (sloth.concat [sloth.homeDir "/.xwechat"]))
         (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/xwechat_files"]))
         (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/WeChat_Data/"]))
-        (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/WeChat"]))
+        sloth.xdgDownloadDir
       ];
       sockets = {
         x11 = false;