nix: remove portal paths from default
test / test (push) Successful in 27s Details

Despite presenting itself as a generic desktop integration interface, xdg-desktop portal is highly flatpak-centric and only supports flatpak and snap in practice. It is a significant attack surface to begin with as it is a privileged process which accepts input from unprivileged processes, and the lack of support for anything other than fortify also introduces various information leaks when exposed to fortify as it treats fortified programs as unsandboxed, privileged programs in many cases.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
Ophestra Umiker 2024-11-10 22:24:17 +09:00
parent 9a13b311ac
commit 1a09b55bd4
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 2 additions and 6 deletions

View File

@ -282,12 +282,8 @@ in
"org.mpris.MediaPlayer2.${id}.*" "org.mpris.MediaPlayer2.${id}.*"
]) ])
++ ext.own; ++ ext.own;
call = {
"org.freedesktop.portal.*" = "*"; inherit (ext) call broadcast;
} // ext.call;
broadcast = {
"org.freedesktop.portal.*" = "@/org/freedesktop/portal/*";
} // ext.broadcast;
}; };
dbusConfig = dbusConfig =
let let