From db229deaef3b0c88f9930bd168e1779f7a4c6074 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:25 +0100 Subject: feat(flatpak): sandbox zathura + add mpv hybrid for browser/mail handoffs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Defense-in-depth for the cross-sandbox handoff vector: when the LibreWolf/Thunderbird flatpaks open a downloaded PDF or video via the OpenURI portal, the receiving app currently runs natively with full $HOME access — defeating part of the browser/mail isolation. - meta/flatpak.txt: add org.pwmt.zathura, io.mpv.Mpv - meta/wayland.txt: drop native zathura + zathura-pdf-mupdf - meta/media.txt: keep native mpv (streamlink, /tmp/mpvsocket IPC, fast yt-dlp) — flatpak mpv is *additional*, only as the mimeapps default for video/audio to receive sandboxed handoffs - dot_config/mimeapps.list: rewrite mpv.desktop -> io.mpv.Mpv.desktop, zathura-pdf-mupdf.desktop -> org.pwmt.zathura.desktop, and replace stale userapp-Thunderbird-* entries with org.mozilla.Thunderbird.desktop - run_onchange_after_deploy-flatpak-overrides.sh.tmpl (new): --filesystem=xdg-config/{zathura,mpv}:ro so the flatpaks read our chezmoi-managed configs as a single source of truth - README: media row + new deploy-script row Manual one-shot on host: chezmoi apply -v. The pteid bridge already iterates a flatpak app list, so cartão de cidadão remains correctly registered for the Mozilla flatpaks. Native mpv config (input-ipc-server) keeps working since each flatpak has its own /tmp; no socket collision. --- run_onchange_after_deploy-flatpak-overrides.sh.tmpl | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 run_onchange_after_deploy-flatpak-overrides.sh.tmpl (limited to 'run_onchange_after_deploy-flatpak-overrides.sh.tmpl') diff --git a/run_onchange_after_deploy-flatpak-overrides.sh.tmpl b/run_onchange_after_deploy-flatpak-overrides.sh.tmpl new file mode 100644 index 0000000..d8be763 --- /dev/null +++ b/run_onchange_after_deploy-flatpak-overrides.sh.tmpl @@ -0,0 +1,17 @@ +#!/bin/sh +# Read-only host config bindings for flatpaks that should pick up our +# chezmoi-managed ~/.config// rather than maintaining a separate +# in-sandbox copy. Idempotent; flatpak override merges entries. +# +# script hash: {{ output "sh" "-c" (printf "sha256sum %q/run_onchange_after_deploy-flatpak-overrides.sh.tmpl 2>/dev/null || true" .chezmoi.sourceDir) }} +set -eu + +apply() { + app=$1 + shift + flatpak info --user "$app" >/dev/null 2>&1 || return 0 + flatpak override --user "$@" "$app" +} + +apply org.pwmt.zathura --filesystem=xdg-config/zathura:ro +apply io.mpv.Mpv --filesystem=xdg-config/mpv:ro -- cgit v1.3.1