Qt is usually built with Accessibility and D-Bus. If D-Bus
connections work, a bypass should be considered trivial.
If we block D-Bus, we experience quite some slowdowns in
certain contexts. That's because Qt makes D-Bus connections
for accessibility features etc. They appear to run into timeouts,
but this slows down things. Sandboxing also makes things
like showing (native) file picker dialogs harder.
Sandboxing efforts will focus on the critical paths such as
the existing Indexer sandbox and the to be implemented sandboxing
for preview generation.
We keep no_new_privs for now as chances are that this shouldn't hurt.
Albert S
f67a37bc21