From 1a09b55bd4753c6d5cbecf96d1b56f23b0e44b95 Mon Sep 17 00:00:00 2001
From: Ophestra Umiker <cat@ophivana.moe>
Date: Sun, 10 Nov 2024 22:24:17 +0900
Subject: [PATCH] nix: remove portal paths from default

Despite presenting itself as a generic desktop integration interface, xdg-desktop portal is highly flatpak-centric and only supports flatpak and snap in practice. It is a significant attack surface to begin with as it is a privileged process which accepts input from unprivileged processes, and the lack of support for anything other than fortify also introduces various information leaks when exposed to fortify as it treats fortified programs as unsandboxed, privileged programs in many cases.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
---
 nixos.nix | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/nixos.nix b/nixos.nix
index 4757dab..f6f349c 100644
--- a/nixos.nix
+++ b/nixos.nix
@@ -282,12 +282,8 @@ in
                         "org.mpris.MediaPlayer2.${id}.*"
                       ])
                       ++ ext.own;
-                    call = {
-                      "org.freedesktop.portal.*" = "*";
-                    } // ext.call;
-                    broadcast = {
-                      "org.freedesktop.portal.*" = "@/org/freedesktop/portal/*";
-                    } // ext.broadcast;
+
+                    inherit (ext) call broadcast;
                   };
                   dbusConfig =
                     let