diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:25 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:25 +0100 |
| commit | db229deaef3b0c88f9930bd168e1779f7a4c6074 (patch) | |
| tree | 9e8210b98913c670b64197b28487957d2f5e5a45 /meta | |
| parent | 7f083ce825ac452c781bba9976138f249b1f7510 (diff) | |
| download | dotfiles-db229deaef3b0c88f9930bd168e1779f7a4c6074.tar.gz dotfiles-db229deaef3b0c88f9930bd168e1779f7a4c6074.tar.bz2 dotfiles-db229deaef3b0c88f9930bd168e1779f7a4c6074.zip | |
feat(flatpak): sandbox zathura + add mpv hybrid for browser/mail handoffs
Defense-in-depth for the cross-sandbox handoff vector: when the
LibreWolf/Thunderbird flatpaks open a downloaded PDF or video via the
OpenURI portal, the receiving app currently runs natively with full
$HOME access — defeating part of the browser/mail isolation.
- meta/flatpak.txt: add org.pwmt.zathura, io.mpv.Mpv
- meta/wayland.txt: drop native zathura + zathura-pdf-mupdf
- meta/media.txt: keep native mpv (streamlink, /tmp/mpvsocket IPC,
fast yt-dlp) — flatpak mpv is *additional*, only as the mimeapps
default for video/audio to receive sandboxed handoffs
- dot_config/mimeapps.list: rewrite mpv.desktop -> io.mpv.Mpv.desktop,
zathura-pdf-mupdf.desktop -> org.pwmt.zathura.desktop, and replace
stale userapp-Thunderbird-* entries with org.mozilla.Thunderbird.desktop
- run_onchange_after_deploy-flatpak-overrides.sh.tmpl (new):
--filesystem=xdg-config/{zathura,mpv}:ro so the flatpaks read our
chezmoi-managed configs as a single source of truth
- README: media row + new deploy-script row
Manual one-shot on host: chezmoi apply -v.
The pteid bridge already iterates a flatpak app list, so cartão de
cidadão remains correctly registered for the Mozilla flatpaks. Native
mpv config (input-ipc-server) keeps working since each flatpak has its
own /tmp; no socket collision.
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/flatpak.txt | 2 | ||||
| -rw-r--r-- | meta/media.txt | 4 | ||||
| -rw-r--r-- | meta/wayland.txt | 5 |
3 files changed, 8 insertions, 3 deletions
diff --git a/meta/flatpak.txt b/meta/flatpak.txt index c76b100..abdabb7 100644 --- a/meta/flatpak.txt +++ b/meta/flatpak.txt @@ -9,10 +9,12 @@ # version embedded in the URL differs from the installed version. io.gitlab.librewolf-community +io.mpv.Mpv org.chromium.Chromium org.kde.okular org.libreoffice.LibreOffice org.mozilla.Thunderbird +org.pwmt.zathura org.torproject.torbrowser-launcher # Portuguese Citizen Card (eID) middleware + GUI. Not on Flathub; ships diff --git a/meta/media.txt b/meta/media.txt index 03a3d10..8e5b5c2 100644 --- a/meta/media.txt +++ b/meta/media.txt @@ -1,3 +1,7 @@ +# Native mpv is kept for streamlink piping and the /tmp/mpvsocket IPC +# integration; the io.mpv.Mpv flatpak (meta/flatpak.txt) is set as the +# mimeapps default for video/* so files handed off by the browser/mail +# sandbox stay sandboxed. mpv streamlink yt-dlp diff --git a/meta/wayland.txt b/meta/wayland.txt index 91d68b4..413e47b 100644 --- a/meta/wayland.txt +++ b/meta/wayland.txt @@ -40,9 +40,8 @@ imv zbar xorg-xwayland # needed for zbarcam's X11 preview -# Document viewer -zathura -zathura-pdf-mupdf +# Document viewer is the org.pwmt.zathura flatpak (see meta/flatpak.txt) so +# PDFs handed off from the browser/mail sandbox stay sandboxed. # Misc brightnessctl |