Commit Graph

17 Commits

Author SHA1 Message Date
Ophestra Umiker f8256137ae
nix: separate module options from implementation
test / test (push) Successful in 25s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 17:08:22 +09:00
Ophestra Umiker 54b47b0315
nix: copy pixmaps directory to share package
test / test (push) Successful in 21s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 14:46:08 +09:00
Ophestra Umiker 8f3f0c7bbf
nix: integrate dynamic users
test / test (push) Successful in 21s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 02:49:48 +09:00
Ophestra Umiker 1a09b55bd4
nix: remove portal paths from default
test / test (push) Successful in 27s Details
Despite presenting itself as a generic desktop integration interface, xdg-desktop portal is highly flatpak-centric and only supports flatpak and snap in practice. It is a significant attack surface to begin with as it is a privileged process which accepts input from unprivileged processes, and the lack of support for anything other than fortify also introduces various information leaks when exposed to fortify as it treats fortified programs as unsandboxed, privileged programs in many cases.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-10 22:24:17 +09:00
Ophestra Umiker 9a13b311ac
app/config: rename map_real_uid from use_real_uid
test / test (push) Successful in 19s Details
This option only changes mapped uid in the user namespace.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-09 12:01:34 +09:00
Ophestra Umiker 431aa32291
nix: remove absolute Exec paths
test / test (push) Successful in 26s Details
Absolute paths set for Exec causes the program to be launched as the privileged user.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-08 02:05:47 +09:00
Ophestra Umiker ad80be721b
nix: improve start script
test / test (push) Successful in 23s Details
Zsh store path in shebang. Replace writeShellScript with writeScript since runtimeShell is not overridable.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 14:09:41 +09:00
Ophestra Umiker 4d90e73366
nix: generate strict sandbox configuration
test / test (push) Successful in 22s Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 04:25:15 +09:00
Ophestra Umiker b9d5fe49cb
nix: pass $SHELL for shell interpreter
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 23:01:06 +09:00
Ophestra Umiker 8f03ddc3fa
app: remove bubblewrap launch method
Launch methods serve the primary purpose of setting UID in the init namespace, which bubblewrap does not do. Furthermore, all applications will start within a bubblewrap sandbox once it has been implemented.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-10 00:11:04 +09:00
Ophestra Umiker 3d963b9f67
nix: include package buildInputs in devShells
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-17 23:15:33 +09:00
Ophestra Umiker d49b97b1d4
nix: pass method string directly
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-13 11:58:45 +09:00
Ophestra Umiker 88ac05be6d
nix: fix typo in nixos module implementation previously missed due to lazy eval
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-09 23:29:16 +09:00
Ophestra Umiker 396066de7b
nix: implement dbus-system option in nixos module
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-09 21:26:14 +09:00
Ophestra Umiker 0e5b85fd42
nix: implement new dbus options in nixos module
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-09 04:58:25 +09:00
Ophestra Umiker 60e4846542
nix: provide options for capability flags
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-08 02:45:00 +09:00
Ophestra Umiker 945cce2f5e
nix: implement nixos module
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 17:03:21 +09:00