Restrict applications in a desktop session

85restrict-applications

#!/bin/sh

# This file is sourced by Xsession(5), not executed.

# Conditionally restrict the set of applications visible to the user

if [ -e ~/.config/restrict-applications.conf -a -n "$XDG_DATA_DIRS" ]
then
	XDG_DATA_DIRS=$(restrict-applications)
fi

restrict-applications

#!/bin/sh

# Restrict the set of applications visible to the current user, by:
#
# 1. Making clones of $XDG_DATA_DIRS populated with symlinks, and removing the links
#    to applications directories. This leaves just the user's applications
#    directory available ($XDG_DATA_HOME/applications).
#
# 2. Returning a new value for XDG_DATA_DIRS that uses the cloned directories
#    instead of the originals.
#
# The default value for $XDG_DATA_HOME is $HOME/.local/share
#
# Note: if the user's session application (eg gnome-shell) isn't in their
#       applications directory they won't be able to log in.

CLONES=$HOME/.xdg_data_dirs

clone_directory()
{
	local DIR=${1%/}

	# Make DIR an absolute path
	case $DIR in
		/*) ;;
		*) DIR=$PWD/$DIR;;
	esac

	mkdir -p "$CLONES$DIR"

	ln -s "$DIR"/* "$CLONES$DIR"/

	echo "$CLONES$DIR"
}

rm -rf $CLONES

NEW_DATA_DIRS=

for DIR in $(echo "$XDG_DATA_DIRS" | tr : ' ')
do
	NEW_DATA_DIRS=$NEW_DATA_DIRS:$(clone_directory "$DIR")

	rm -f "$CLONES$DIR"/applications
done

echo "${NEW_DATA_DIRS#:}"