nevaforget/moonarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: audit remediation — security, quality and performance fixes
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
Details

Browse Source 
- CI Dockerfile: verify act_runner SHA256, restrict sudoers to safe
  pacman arguments (S-C1, S-C2)
- cliphist: split into cliphist-text + cliphist-image services with
  Type=simple for proper PID tracking and restart (Q-C3)
- batsaver-toggle: validate sysfs input as numeric, check state file
  write (Q-C2, S-W2)
- udev battery rule: add ACTION=="add" filter to avoid firing on
  every battery event (Q-W3)
- cpugov: replace eval with direct expansion, switch waybar module
  to signal-based updates, send SIGRTMIN+10 after toggle (Q-W1,
  S-W1, P-W4)
- Remove docker group auto-assignment from install scripts (S-I1)
This commit is contained in:
nevaforget 2026-04-08 11:45:56 +02:00
parent e1e80ca414
commit ac2b210a1f
10 changed files with 49 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ci/act-runner/Dockerfile
View File

@ -1,8 +1,9 @@
FROM archlinux:base-devel FROM archlinux:base-devel
RUN pacman -Sy --noconfirm git curl && pacman -Scc --noconfirm RUN pacman -Sy --noconfirm git curl && pacman -Scc --noconfirm
RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman -Sy *, /usr/bin/pacman -S --needed *" >> /etc/sudoers
ADD https://gitea.com/gitea/act_runner/releases/download/v0.3.1/act_runner-0.3.1-linux-amd64 /usr/local/bin/act_runner ADD https://gitea.com/gitea/act_runner/releases/download/v0.3.1/act_runner-0.3.1-linux-amd64 /usr/local/bin/act_runner
RUN chmod +x /usr/local/bin/act_runner RUN echo "a05b2103a7cc5617197da214eaa06a1055362f21f9f475eb7fbacb8344d86cf8 /usr/local/bin/act_runner" | sha256sum -c - \
&& chmod +x /usr/local/bin/act_runner
COPY --from=gitea/act_runner:latest /usr/local/bin/run.sh /usr/local/bin/run.sh COPY --from=gitea/act_runner:latest /usr/local/bin/run.sh /usr/local/bin/run.sh
RUN mkdir -p /data && chown builder:builder /data RUN mkdir -p /data && chown builder:builder /data
USER builder USER builder

3
defaults/bin/moonarch-batsaver-toggle
View File

@ -10,6 +10,7 @@ CONSERVATION_LIMIT=80
[[ -f "$THRESHOLD_FILE" ]] || exit 1 [[ -f "$THRESHOLD_FILE" ]] || exit 1
CURRENT=$(cat "$THRESHOLD_FILE") CURRENT=$(cat "$THRESHOLD_FILE")
[[ "$CURRENT" =~ ^[0-9]+$ ]] || exit 1
if [[ "$CURRENT" -le "$CONSERVATION_LIMIT" ]]; then if [[ "$CURRENT" -le "$CONSERVATION_LIMIT" ]]; then
NEW=100 NEW=100
@ -22,7 +23,7 @@ echo "$NEW" > "$THRESHOLD_FILE" || exit 1
# Persist for next boot # Persist for next boot
mkdir -p "$STATE_DIR" mkdir -p "$STATE_DIR"
echo "$NEW" > "$STATE_FILE" echo "$NEW" > "$STATE_FILE" || exit 1
# Signal Waybar to refresh the batsaver module (SIGRTMIN+9) # Signal Waybar to refresh the batsaver module (SIGRTMIN+9)
pkill -RTMIN+9 waybar pkill -RTMIN+9 waybar

7
defaults/bin/moonarch-cpugov
View File

@ -60,11 +60,12 @@ fi
# check if choice exists # check if choice exists
if test "${COMMANDS[$choice]+isset}" if test "${COMMANDS[$choice]+isset}"
then then
# Execute the choice — eval required because COMMANDS values contain ${COMMANDS[$choice]}
# multi-word strings that must be interpreted as full commands.
eval "${COMMANDS[$choice]}"
notify-send -h string:x-canonical-private-synchronous:cpugov -i cpu "CPU Mode" "Set to $choice ${LABELS[$choice]}" notify-send -h string:x-canonical-private-synchronous:cpugov -i cpu "CPU Mode" "Set to $choice ${LABELS[$choice]}"
# Signal Waybar to refresh the cpugov module (SIGRTMIN+10)
pkill -RTMIN+10 waybar
else else
notify-send -u critical "CPU Governor" "Unknown command: ${choice}" notify-send -u critical "CPU Governor" "Unknown command: ${choice}"
fi fi

16
defaults/etc/systemd/user/cliphist-image.service Normal file
View File

@ -0,0 +1,16 @@
# ABOUTME: systemd user service for image clipboard history via cliphist + wl-paste.
# ABOUTME: Stores image clipboard entries in XDG_RUNTIME_DIR.
[Unit]
Description=Clipboard history manager (image)
PartOf=graphical-session.target
After=cliphist-text.service
[Service]
Type=simple
ExecStart=/usr/bin/wl-paste --type image --watch cliphist -db-path %t/cliphist/db store
Restart=on-failure
RestartSec=3
[Install]
WantedBy=graphical-session.target

17
defaults/etc/systemd/user/cliphist-text.service Normal file
View File

@ -0,0 +1,17 @@
# ABOUTME: systemd user service for text clipboard history via cliphist + wl-paste.
# ABOUTME: Wipes history on start, stores text entries in XDG_RUNTIME_DIR.
[Unit]
Description=Clipboard history manager (text)
PartOf=graphical-session.target
After=graphical-session.target
[Service]
Type=simple
ExecStartPre=/bin/sh -c 'mkdir -p $XDG_RUNTIME_DIR/cliphist && /usr/bin/cliphist wipe'
ExecStart=/usr/bin/wl-paste --watch cliphist -db-path %t/cliphist/db store
Restart=on-failure
RestartSec=3
[Install]
WantedBy=graphical-session.target

16
defaults/etc/systemd/user/cliphist.service
View File

@ -1,16 +0,0 @@
# ABOUTME: systemd user service for clipboard history (cliphist + wl-paste).
# ABOUTME: Stores text and image clipboard entries, wipes history on session end.
[Unit]
Description=Clipboard history manager
PartOf=graphical-session.target
After=graphical-session.target
[Service]
Type=forking
ExecStartPre=/usr/bin/cliphist wipe
ExecStart=/bin/sh -c 'mkdir -p $XDG_RUNTIME_DIR/cliphist && wl-paste --watch cliphist -db-path $XDG_RUNTIME_DIR/cliphist/db store & wl-paste --type image --watch cliphist -db-path $XDG_RUNTIME_DIR/cliphist/db store &'
RemainAfterExit=yes
[Install]
WantedBy=graphical-session.target

2
defaults/etc/udev/rules.d/90-moonarch-battery.rules
View File

@ -1,4 +1,4 @@
# ABOUTME: udev rule granting wheel group write access to battery charge threshold. # ABOUTME: udev rule granting wheel group write access to battery charge threshold.
# ABOUTME: Enables unprivileged toggling of conservation mode via moonarch-batsaver-toggle. # ABOUTME: Enables unprivileged toggling of conservation mode via moonarch-batsaver-toggle.
SUBSYSTEM=="power_supply", ATTR{type}=="Battery", RUN+="/bin/sh -c 'chgrp wheel /sys%p/charge_control_end_threshold 2>/dev/null; chmod g+w /sys%p/charge_control_end_threshold 2>/dev/null'" SUBSYSTEM=="power_supply", ACTION=="add", ATTR{type}=="Battery", RUN+="/bin/sh -c 'chgrp wheel /sys%p/charge_control_end_threshold 2>/dev/null; chmod g+w /sys%p/charge_control_end_threshold 2>/dev/null'"

3
defaults/xdg/waybar/config
View File

@ -296,7 +296,8 @@
"custom/cpugov": { "custom/cpugov": {
"exec": "moonarch-waybar-cpugov", "exec": "moonarch-waybar-cpugov",
"return-type": "json", "return-type": "json",
"interval": 5, "interval": 60,
"signal": 10,
"on-click": "moonarch-cpugov" "on-click": "moonarch-cpugov"
}, },
"custom/gpu-usage": { "custom/gpu-usage": {

10
scripts/post-install.sh
View File

@ -125,7 +125,8 @@ log "Enabling systemd user services..."
USER_SERVICES=( USER_SERVICES=(
"kanshi" "kanshi"
"stasis" "stasis"
"cliphist" "cliphist-text"
"cliphist-image"
) )
for service in "${USER_SERVICES[@]}"; do for service in "${USER_SERVICES[@]}"; do
@ -183,13 +184,6 @@ for entry in /boot/loader/entries/*.conf; do
fi fi
done done
# --- Docker-Gruppe ---
if ! groups | grep -q docker; then
log "Adding user to docker group..."
sudo usermod -aG docker "$USER"
fi
# --- Screenshots directory --- # --- Screenshots directory ---
mkdir -p "$HOME/Pictures/Screenshots" mkdir -p "$HOME/Pictures/Screenshots"

9
scripts/transform.sh
View File

@ -329,7 +329,8 @@ log "Enabling systemd user services..."
USER_SERVICES=( USER_SERVICES=(
"kanshi" "kanshi"
"stasis" "stasis"
"cliphist" "cliphist-text"
"cliphist-image"
) )
for service in "${USER_SERVICES[@]}"; do for service in "${USER_SERVICES[@]}"; do
@ -373,12 +374,6 @@ sudo ufw default deny incoming
sudo ufw default allow outgoing sudo ufw default allow outgoing
sudo ufw --force enable sudo ufw --force enable
# Docker group
if ! groups | grep -q docker; then
log "Adding user to docker group..."
sudo usermod -aG docker "$USER"
fi
# Directories # Directories
mkdir -p "$HOME/Pictures/Screenshots" mkdir -p "$HOME/Pictures/Screenshots"
mkdir -p "$HOME/Pictures/Wallpaper" mkdir -p "$HOME/Pictures/Wallpaper"