Ophestra Umiker
f8256137ae
nix: separate module options from implementation
...
test / test (push) Successful in 25s
Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 17:08:22 +09:00
Ophestra Umiker
54b47b0315
nix: copy pixmaps directory to share package
...
test / test (push) Successful in 21s
Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 14:46:08 +09:00
Ophestra Umiker
8f3f0c7bbf
nix: integrate dynamic users
...
test / test (push) Successful in 21s
Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-18 02:49:48 +09:00
Ophestra Umiker
1a09b55bd4
nix: remove portal paths from default
...
test / test (push) Successful in 27s
Details
Despite presenting itself as a generic desktop integration interface, xdg-desktop portal is highly flatpak-centric and only supports flatpak and snap in practice. It is a significant attack surface to begin with as it is a privileged process which accepts input from unprivileged processes, and the lack of support for anything other than fortify also introduces various information leaks when exposed to fortify as it treats fortified programs as unsandboxed, privileged programs in many cases.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-10 22:24:17 +09:00
Ophestra Umiker
9a13b311ac
app/config: rename map_real_uid from use_real_uid
...
test / test (push) Successful in 19s
Details
This option only changes mapped uid in the user namespace.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-09 12:01:34 +09:00
Ophestra Umiker
431aa32291
nix: remove absolute Exec paths
...
test / test (push) Successful in 26s
Details
Absolute paths set for Exec causes the program to be launched as the privileged user.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-08 02:05:47 +09:00
Ophestra Umiker
ad80be721b
nix: improve start script
...
test / test (push) Successful in 23s
Details
Zsh store path in shebang. Replace writeShellScript with writeScript since runtimeShell is not overridable.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 14:09:41 +09:00
Ophestra Umiker
4d90e73366
nix: generate strict sandbox configuration
...
test / test (push) Successful in 22s
Details
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-06 04:25:15 +09:00
Ophestra Umiker
b9d5fe49cb
nix: pass $SHELL for shell interpreter
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-12 23:01:06 +09:00
Ophestra Umiker
8f03ddc3fa
app: remove bubblewrap launch method
...
Launch methods serve the primary purpose of setting UID in the init namespace, which bubblewrap does not do. Furthermore, all applications will start within a bubblewrap sandbox once it has been implemented.
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-10-10 00:11:04 +09:00
Ophestra Umiker
3d963b9f67
nix: include package buildInputs in devShells
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-17 23:15:33 +09:00
Ophestra Umiker
d49b97b1d4
nix: pass method string directly
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-13 11:58:45 +09:00
Ophestra Umiker
88ac05be6d
nix: fix typo in nixos module implementation previously missed due to lazy eval
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-09 23:29:16 +09:00
Ophestra Umiker
396066de7b
nix: implement dbus-system option in nixos module
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-09 21:26:14 +09:00
Ophestra Umiker
0e5b85fd42
nix: implement new dbus options in nixos module
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-09 04:58:25 +09:00
Ophestra Umiker
60e4846542
nix: provide options for capability flags
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-08 02:45:00 +09:00
Ophestra Umiker
945cce2f5e
nix: implement nixos module
...
Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-09-04 17:03:21 +09:00