From cd1c92b746a51a6994281f34a5f773c37d1d2dfe Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 29 May 2026 11:18:16 +0100 Subject: refactor(flatpak): route mpv and thunderbird via flatpak; drop system pkgs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both org.mozilla.thunderbird and io.mpv.Mpv are already installed via flatpak, but several places still launched the system binaries (because they were in PATH). Worse, `mpv` was kept on the host *only* for the streamlink-launches-mpv path, and `thunderbird` was being pulled in as a hard dep of external-editor-revived even though it was never the mailer actually used. Untangle both. Thunderbird ----------- * dot_config/sway/executable_tb-toggle.sh, dot_config/sway/executable_tb-autostart.sh: swap `thunderbird` → `flatpak run org.mozilla.thunderbird`. The `app_id` matcher in sway config already targets the flatpak id, so the scratchpad-stash and Super+t toggle keep working unchanged. * etc/pacman.conf: add `AssumeInstalled = thunderbird=999.0-1`. external-editor-revived (AUR) hard-depends on `thunderbird`; this satisfies the dep without installing the package. Run `sudo pacman -Rns thunderbird` after deploy to remove the now-unneeded system binary. * meta/base.txt: document the AssumeInstalled trick next to the external-editor-revived entry. mpv --- * dot_config/streamlink/config: `player=mpv` → `player=flatpak run io.mpv.Mpv`. The flatpak already pulls in our ~/.config/mpv via the read-only filesystem override (see run_onchange_after_deploy-flatpak-overrides.sh.tmpl), so behavior is unchanged. * dot_local/bin/executable_linkhandler: same swap for inline video URLs. * dot_local/bin/executable_mpv: deleted. The wrapper only existed to bwrap /usr/bin/mpv into _sandbox-net-parser; flatpak's own sandbox supersedes that. * dot_local/bin/executable__sandbox-net-parser, dot_local/bin/executable_streamlink: comment refresh — mpv is no longer one of the tools this wraps, and the streamlink wrapper now forwards to the flatpak player rather than nested-bwrap caveats. * meta/base.txt: drop `mpv` from the host package list and update the surrounding comment. README.md: refresh the media row of the stack table to match. On-host steps: chezmoi apply -v sudo pacman -Syu # picks up AssumeInstalled sudo pacman -Rns thunderbird mpv # safe now flatpak install -y flathub org.mozilla.thunderbird io.mpv.Mpv swaymsg reload # pick up new tb scripts --- dot_local/bin/executable__sandbox-net-parser | 16 +++++++++------- dot_local/bin/executable_linkhandler | 2 +- dot_local/bin/executable_mpv | 4 ---- dot_local/bin/executable_streamlink | 5 +++-- 4 files changed, 13 insertions(+), 14 deletions(-) delete mode 100644 dot_local/bin/executable_mpv (limited to 'dot_local') diff --git a/dot_local/bin/executable__sandbox-net-parser b/dot_local/bin/executable__sandbox-net-parser index 648ad0f..d998ace 100644 --- a/dot_local/bin/executable__sandbox-net-parser +++ b/dot_local/bin/executable__sandbox-net-parser @@ -1,6 +1,6 @@ #!/usr/bin/env sh # Sandbox wrapper for tools that parse data from untrusted network -# sources (mpv, yt-dlp, streamlink). The threat model is RCE in a +# sources (yt-dlp, streamlink). The threat model is RCE in a # subtitle / muxer / extractor that walks the user's home directory # looking for SSH/GPG keys, password store, cloud tokens, etc. # @@ -9,10 +9,13 @@ # work transparently; the sandbox only tmpfs-shadows known-sensitive # directories so a compromised parser cannot read them. # +# (mpv itself is run as the io.mpv.Mpv flatpak, which is its own +# sandbox — no extra bwrap wrapper needed.) +# # Set SANDBOX=0 to bypass entirely for a single invocation: -# SANDBOX=0 mpv weird-codec-file.mkv +# SANDBOX=0 streamlink weird-stream-url # -# Usage (called by the per-tool wrappers): _sandbox-net-parser /usr/bin/mpv "$@" +# Usage (called by the per-tool wrappers): _sandbox-net-parser /usr/bin/yt-dlp "$@" set -eu @@ -33,10 +36,9 @@ bin=$1 shift # Prevent re-entry: any tool spawned inside the sandbox that resolves -# `mpv`/`yt-dlp`/`streamlink` via PATH (e.g. streamlink launching mpv) -# must find the real binary, not another wrapper that would try to -# nest a second bwrap and fail. Strip ~/.local/bin and nix-profile/bin -# from PATH inside the namespace. +# `yt-dlp`/`streamlink` via PATH must find the real binary, not another +# wrapper that would try to nest a second bwrap and fail. Strip +# ~/.local/bin and nix-profile/bin from PATH inside the namespace. inner_path='/usr/local/sbin:/usr/local/bin:/usr/bin' exec bwrap \ diff --git a/dot_local/bin/executable_linkhandler b/dot_local/bin/executable_linkhandler index 48dd6ae..a440634 100755 --- a/dot_local/bin/executable_linkhandler +++ b/dot_local/bin/executable_linkhandler @@ -18,7 +18,7 @@ fi case "$url" in *.mkv* | *.webm* | *.mp4* | *.mp3* | *.ogg* | *.mov* | *.ts* | *.m3u8* | *.gif* | *.m4a* | *youtube.com/watch* | *youtube.com/playlist* | *youtu.be* | *twitch.tv* | *invidio.us* | *lbry* | *streamye.com* | *streamvi.com* | *streamwo.com* | *videos.lukesmith.xyz*) - setsid mpv -quiet "$url" >/dev/null 2>&1 & + setsid flatpak run io.mpv.Mpv --quiet "$url" >/dev/null 2>&1 & ;; acestream://*) setsid acestream-launcher "$url" >/dev/null 2>&1 & diff --git a/dot_local/bin/executable_mpv b/dot_local/bin/executable_mpv deleted file mode 100644 index ba6787b..0000000 --- a/dot_local/bin/executable_mpv +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env sh -# Thin wrapper: run /usr/bin/mpv inside _sandbox-net-parser. See that -# script for the threat model and the SANDBOX=0 escape hatch. -exec _sandbox-net-parser /usr/bin/mpv "$@" diff --git a/dot_local/bin/executable_streamlink b/dot_local/bin/executable_streamlink index 86ab12a..67dc122 100644 --- a/dot_local/bin/executable_streamlink +++ b/dot_local/bin/executable_streamlink @@ -1,5 +1,6 @@ #!/usr/bin/env sh # Thin wrapper: run /usr/bin/streamlink inside _sandbox-net-parser. The -# sandbox strips ~/.local/bin from PATH so streamlink's internal launch -# of `mpv` resolves to /usr/bin/mpv (avoids nested bwrap). +# sandbox keeps `/` bind-mounted, so streamlink's configured player +# (`flatpak run io.mpv.Mpv` — see ~/.config/streamlink/config) is reachable +# via /usr/bin/flatpak. exec _sandbox-net-parser /usr/bin/streamlink "$@" -- cgit v1.3.1