Hi,
As one of my machines is a bit more security sensitive I’ve been looking into securing neovim a bit more and not having Lua code “free running” on my machine. This is mostly an experiment
I’ve been happy with the (somewhat) sense of security firejail and neovim profile with no network option gives but then this all goes away once I need to run neovim with network access to update packages et al.
So my question is: is it possible to package all that I need to run neovim (Lua code, mason installed binaries, etc) into an app image or some other format to then run under firejail? Which folders would I need besides the usual ones (.config/neovim)
As for package updates I was thinking about doing it in my personal machine where I would then package everything and install it on the sensitive machine
there’s already official appimages for neovim, I use them (but not with firejail) and they work fine. but the lsp stuff is all installed outside, my guess is it’d be really annoying to mantain a custom compiled appimage
the best option is probably to just run neovim inside a docker container, you can then mount the directories every time you run a neovim container (~/.config/nvim, ~/.local/share/nvim, optionally .local/state/nvim and your undodir/undofile, there may be more I’m not sure).
assuming you want to isolate your home directory, what gets annoying is giving it access to only the code you’re editing, I’ve yet to try this but my next plan is to give it read access to $HOME, then read/write access to the neovim dirs, and then take an argument to mount the project directory
some other options which I also haven’t tried are