Hi,
As one of my machines is a bit more security sensitive I’ve been looking into securing neovim a bit more and not having Lua code “free running” on my machine. This is mostly an experiment
I’ve been happy with the (somewhat) sense of security firejail and neovim profile with no network option gives but then this all goes away once I need to run neovim with network access to update packages et al.
So my question is: is it possible to package all that I need to run neovim (Lua code, mason installed binaries, etc) into an app image or some other format to then run under firejail? Which folders would I need besides the usual ones (.config/neovim)
As for package updates I was thinking about doing it in my personal machine where I would then package everything and install it on the sensitive machine
You can sandbox the neovim appimage with AM and then it will ask you what locations you want to give access to. https://github.com/ivan-hc/AM
am -i nvimam --sandbox nvim