From ac2b210a1fac7739a7eaa008612169b6a3567cbd Mon Sep 17 00:00:00 2001 From: nevaforget Date: Wed, 8 Apr 2026 11:45:56 +0200 Subject: [PATCH] =?UTF-8?q?fix:=20audit=20remediation=20=E2=80=94=20securi?= =?UTF-8?q?ty,=20quality=20and=20performance=20fixes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - CI Dockerfile: verify act_runner SHA256, restrict sudoers to safe pacman arguments (S-C1, S-C2) - cliphist: split into cliphist-text + cliphist-image services with Type=simple for proper PID tracking and restart (Q-C3) - batsaver-toggle: validate sysfs input as numeric, check state file write (Q-C2, S-W2) - udev battery rule: add ACTION=="add" filter to avoid firing on every battery event (Q-W3) - cpugov: replace eval with direct expansion, switch waybar module to signal-based updates, send SIGRTMIN+10 after toggle (Q-W1, S-W1, P-W4) - Remove docker group auto-assignment from install scripts (S-I1) --- ci/act-runner/Dockerfile | 5 +++-- defaults/bin/moonarch-batsaver-toggle | 3 ++- defaults/bin/moonarch-cpugov | 7 ++++--- .../etc/systemd/user/cliphist-image.service | 16 ++++++++++++++++ defaults/etc/systemd/user/cliphist-text.service | 17 +++++++++++++++++ defaults/etc/systemd/user/cliphist.service | 16 ---------------- .../etc/udev/rules.d/90-moonarch-battery.rules | 2 +- defaults/xdg/waybar/config | 3 ++- scripts/post-install.sh | 10 ++-------- scripts/transform.sh | 9 ++------- 10 files changed, 49 insertions(+), 39 deletions(-) create mode 100644 defaults/etc/systemd/user/cliphist-image.service create mode 100644 defaults/etc/systemd/user/cliphist-text.service delete mode 100644 defaults/etc/systemd/user/cliphist.service diff --git a/ci/act-runner/Dockerfile b/ci/act-runner/Dockerfile index 721283a..2094e83 100644 --- a/ci/act-runner/Dockerfile +++ b/ci/act-runner/Dockerfile @@ -1,8 +1,9 @@ FROM archlinux:base-devel RUN pacman -Sy --noconfirm git curl && pacman -Scc --noconfirm -RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers +RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman -Sy *, /usr/bin/pacman -S --needed *" >> /etc/sudoers ADD https://gitea.com/gitea/act_runner/releases/download/v0.3.1/act_runner-0.3.1-linux-amd64 /usr/local/bin/act_runner -RUN chmod +x /usr/local/bin/act_runner +RUN echo "a05b2103a7cc5617197da214eaa06a1055362f21f9f475eb7fbacb8344d86cf8 /usr/local/bin/act_runner" | sha256sum -c - \ + && chmod +x /usr/local/bin/act_runner COPY --from=gitea/act_runner:latest /usr/local/bin/run.sh /usr/local/bin/run.sh RUN mkdir -p /data && chown builder:builder /data USER builder diff --git a/defaults/bin/moonarch-batsaver-toggle b/defaults/bin/moonarch-batsaver-toggle index beb483d..2d334d1 100755 --- a/defaults/bin/moonarch-batsaver-toggle +++ b/defaults/bin/moonarch-batsaver-toggle @@ -10,6 +10,7 @@ CONSERVATION_LIMIT=80 [[ -f "$THRESHOLD_FILE" ]] || exit 1 CURRENT=$(cat "$THRESHOLD_FILE") +[[ "$CURRENT" =~ ^[0-9]+$ ]] || exit 1 if [[ "$CURRENT" -le "$CONSERVATION_LIMIT" ]]; then NEW=100 @@ -22,7 +23,7 @@ echo "$NEW" > "$THRESHOLD_FILE" || exit 1 # Persist for next boot mkdir -p "$STATE_DIR" -echo "$NEW" > "$STATE_FILE" +echo "$NEW" > "$STATE_FILE" || exit 1 # Signal Waybar to refresh the batsaver module (SIGRTMIN+9) pkill -RTMIN+9 waybar diff --git a/defaults/bin/moonarch-cpugov b/defaults/bin/moonarch-cpugov index fd2bb54..d31ae4b 100755 --- a/defaults/bin/moonarch-cpugov +++ b/defaults/bin/moonarch-cpugov @@ -60,11 +60,12 @@ fi # check if choice exists if test "${COMMANDS[$choice]+isset}" then - # Execute the choice — eval required because COMMANDS values contain - # multi-word strings that must be interpreted as full commands. - eval "${COMMANDS[$choice]}" + ${COMMANDS[$choice]} notify-send -h string:x-canonical-private-synchronous:cpugov -i cpu "CPU Mode" "Set to $choice ${LABELS[$choice]}" + + # Signal Waybar to refresh the cpugov module (SIGRTMIN+10) + pkill -RTMIN+10 waybar else notify-send -u critical "CPU Governor" "Unknown command: ${choice}" fi diff --git a/defaults/etc/systemd/user/cliphist-image.service b/defaults/etc/systemd/user/cliphist-image.service new file mode 100644 index 0000000..9ab51cc --- /dev/null +++ b/defaults/etc/systemd/user/cliphist-image.service @@ -0,0 +1,16 @@ +# ABOUTME: systemd user service for image clipboard history via cliphist + wl-paste. +# ABOUTME: Stores image clipboard entries in XDG_RUNTIME_DIR. + +[Unit] +Description=Clipboard history manager (image) +PartOf=graphical-session.target +After=cliphist-text.service + +[Service] +Type=simple +ExecStart=/usr/bin/wl-paste --type image --watch cliphist -db-path %t/cliphist/db store +Restart=on-failure +RestartSec=3 + +[Install] +WantedBy=graphical-session.target diff --git a/defaults/etc/systemd/user/cliphist-text.service b/defaults/etc/systemd/user/cliphist-text.service new file mode 100644 index 0000000..fae45ea --- /dev/null +++ b/defaults/etc/systemd/user/cliphist-text.service @@ -0,0 +1,17 @@ +# ABOUTME: systemd user service for text clipboard history via cliphist + wl-paste. +# ABOUTME: Wipes history on start, stores text entries in XDG_RUNTIME_DIR. + +[Unit] +Description=Clipboard history manager (text) +PartOf=graphical-session.target +After=graphical-session.target + +[Service] +Type=simple +ExecStartPre=/bin/sh -c 'mkdir -p $XDG_RUNTIME_DIR/cliphist && /usr/bin/cliphist wipe' +ExecStart=/usr/bin/wl-paste --watch cliphist -db-path %t/cliphist/db store +Restart=on-failure +RestartSec=3 + +[Install] +WantedBy=graphical-session.target diff --git a/defaults/etc/systemd/user/cliphist.service b/defaults/etc/systemd/user/cliphist.service deleted file mode 100644 index a842aa3..0000000 --- a/defaults/etc/systemd/user/cliphist.service +++ /dev/null @@ -1,16 +0,0 @@ -# ABOUTME: systemd user service for clipboard history (cliphist + wl-paste). -# ABOUTME: Stores text and image clipboard entries, wipes history on session end. - -[Unit] -Description=Clipboard history manager -PartOf=graphical-session.target -After=graphical-session.target - -[Service] -Type=forking -ExecStartPre=/usr/bin/cliphist wipe -ExecStart=/bin/sh -c 'mkdir -p $XDG_RUNTIME_DIR/cliphist && wl-paste --watch cliphist -db-path $XDG_RUNTIME_DIR/cliphist/db store & wl-paste --type image --watch cliphist -db-path $XDG_RUNTIME_DIR/cliphist/db store &' -RemainAfterExit=yes - -[Install] -WantedBy=graphical-session.target diff --git a/defaults/etc/udev/rules.d/90-moonarch-battery.rules b/defaults/etc/udev/rules.d/90-moonarch-battery.rules index 1baa703..d424027 100644 --- a/defaults/etc/udev/rules.d/90-moonarch-battery.rules +++ b/defaults/etc/udev/rules.d/90-moonarch-battery.rules @@ -1,4 +1,4 @@ # ABOUTME: udev rule granting wheel group write access to battery charge threshold. # ABOUTME: Enables unprivileged toggling of conservation mode via moonarch-batsaver-toggle. -SUBSYSTEM=="power_supply", ATTR{type}=="Battery", RUN+="/bin/sh -c 'chgrp wheel /sys%p/charge_control_end_threshold 2>/dev/null; chmod g+w /sys%p/charge_control_end_threshold 2>/dev/null'" +SUBSYSTEM=="power_supply", ACTION=="add", ATTR{type}=="Battery", RUN+="/bin/sh -c 'chgrp wheel /sys%p/charge_control_end_threshold 2>/dev/null; chmod g+w /sys%p/charge_control_end_threshold 2>/dev/null'" diff --git a/defaults/xdg/waybar/config b/defaults/xdg/waybar/config index 763cdff..78b6de7 100644 --- a/defaults/xdg/waybar/config +++ b/defaults/xdg/waybar/config @@ -296,7 +296,8 @@ "custom/cpugov": { "exec": "moonarch-waybar-cpugov", "return-type": "json", - "interval": 5, + "interval": 60, + "signal": 10, "on-click": "moonarch-cpugov" }, "custom/gpu-usage": { diff --git a/scripts/post-install.sh b/scripts/post-install.sh index 85c1189..65f8023 100755 --- a/scripts/post-install.sh +++ b/scripts/post-install.sh @@ -125,7 +125,8 @@ log "Enabling systemd user services..." USER_SERVICES=( "kanshi" "stasis" - "cliphist" + "cliphist-text" + "cliphist-image" ) for service in "${USER_SERVICES[@]}"; do @@ -183,13 +184,6 @@ for entry in /boot/loader/entries/*.conf; do fi done -# --- Docker-Gruppe --- - -if ! groups | grep -q docker; then - log "Adding user to docker group..." - sudo usermod -aG docker "$USER" -fi - # --- Screenshots directory --- mkdir -p "$HOME/Pictures/Screenshots" diff --git a/scripts/transform.sh b/scripts/transform.sh index edca7c0..8d82c00 100755 --- a/scripts/transform.sh +++ b/scripts/transform.sh @@ -329,7 +329,8 @@ log "Enabling systemd user services..." USER_SERVICES=( "kanshi" "stasis" - "cliphist" + "cliphist-text" + "cliphist-image" ) for service in "${USER_SERVICES[@]}"; do @@ -373,12 +374,6 @@ sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw --force enable -# Docker group -if ! groups | grep -q docker; then - log "Adding user to docker group..." - sudo usermod -aG docker "$USER" -fi - # Directories mkdir -p "$HOME/Pictures/Screenshots" mkdir -p "$HOME/Pictures/Wallpaper"