diff --git a/hardening/nixpaks/firefox.nix b/hardening/nixpaks/firefox.nix index 4c8589a9..7379dd50 100644 --- a/hardening/nixpaks/firefox.nix +++ b/hardening/nixpaks/firefox.nix @@ -34,6 +34,15 @@ mkNixPak { "org.mozilla.firefox_beta.*" = "own"; # firefox beta "org.mpris.MediaPlayer2.firefox.*" = "own"; "org.freedesktop.NetworkManager" = "talk"; + + "org.gnome.Shell.Screencast" = "talk"; + # System tray icon + "org.freedesktop.Notifications" = "talk"; + "org.kde.StatusNotifierWatcher" = "talk"; + # File Manager + "org.freedesktop.FileManager1" = "talk"; + # Uses legacy StatusNotifier implementation + "org.kde.*" = "own"; }; bubblewrap = { @@ -45,8 +54,10 @@ mkNixPak { # NOTE: sloth.mkdir is used to create the directory if it does not exist! (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla")) - sloth.xdgDownloadDir sloth.xdgDocumentsDir + sloth.xdgDownloadDir + sloth.xdgMusicDir + sloth.xdgVideosDir ]; bind.ro = [ # To actually make Firefox run diff --git a/hardening/nixpaks/qq.nix b/hardening/nixpaks/qq.nix index 5ab8e74b..7190dba9 100644 --- a/hardening/nixpaks/qq.nix +++ b/hardening/nixpaks/qq.nix @@ -30,8 +30,13 @@ mkNixPak { # ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/ dbus.policies = { "org.gnome.Shell.Screencast" = "talk"; + # System tray icon "org.freedesktop.Notifications" = "talk"; "org.kde.StatusNotifierWatcher" = "talk"; + # File Manager + "org.freedesktop.FileManager1" = "talk"; + # Uses legacy StatusNotifier implementation + "org.kde.*" = "own"; }; bubblewrap = { # To trace all the home files QQ accesses, you can use the following nushell command: @@ -41,8 +46,11 @@ mkNixPak { # given the read write permission to the following directories. # NOTE: sloth.mkdir is used to create the directory if it does not exist! (sloth.mkdir (sloth.concat [sloth.xdgConfigHome "/QQ"])) - (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/QQ"])) + + sloth.xdgDocumentsDir sloth.xdgDownloadDir + sloth.xdgMusicDir + sloth.xdgVideosDir ]; sockets = { x11 = false;