If run as root we were leaking mounts to the parent namespace,
which lead to an error when removing the temporary mountroot.
To fix this we remount the whole tree as private as soon as we created
the new mountenamespace.
(cherry picked from commit 43908f4c1d8489ca284c47fb835ec3fa348016b0)
tmuxinator 2.0.3 fixes a compatibility warning with tmux 2.3, which is
the version packaged on NixOS 21.05.
See https://github.com/tmuxinator/tmuxinator/issues/814
(cherry picked from commit 28ab65b5869c6673e359093662a1dfe3aba9b829)
ChangeLog: 1886c8abed/CHANGELOG.md (560-beta6-2021-05-31)
Even though this isn't explicitly noted in the Changelog, this seems to
have fixed the Element integration for me.
Additionally, I added a (hacky) `xdg-open` wrapper which removes the
`GDK_BACKEND` variable to fix the XWayland integration[1]. The problem
is that if a Firefox is running with Wayland (`ferdi` is running under
X11) and `GDK_BACKEND=x11` is passed to the `xdg-open` (and thus
`firefox`) process, Firefox refuses to start since another instance of
it is running under Wayland (but attempts to start in X11 mode because of
`GDK_BACKEND=x11`).
[1] https://github.com/electron/electron/issues/28436
(cherry picked from commit cd4ad7d2fee90fc3afb9f3f3957a7289f02f89dc)
Rambox hasn't had a stable release in a while and an increasing number
of issues which is why I don't intend to use this anymore.
While taking a closer look at the source I also realized that it uses
Electron 7.2.4[1]. This is not only EOLed[2], it also contains a few
security vulnerabilities which is why I decided to mark it as insecure.
A few (most likely not all) vulnerabilities can be found by looking at
the Electron 7 changelog[3]: after 7.2.4 there were a few more releases
with security backports - mostly from Chromium. Security issues that
were found later on (and are probably exploitable on the dependency
chain of rambox) aren't listed here. I only added two issues that seemed
applicable to `rambox`, but I haven't researched enough to check the
other ones.
[1] https://github.com/ramboxapp/community-edition/blob/0.7.7/package.json#L70
[2] https://www.electronjs.org/docs/tutorial/support#currently-supported-versions
[3] https://www.electronjs.org/releases/stable?version=7
(cherry picked from commit e2a15cd395f1e137c680d22f83cd195caf3d6c14)
When running make manually, makeFlags will not be passed. Let’s just use an environment variable.
(cherry picked from commit 034a9c0e16aab12978bb4a1c1f0e86c64778b388)
In 0.3.0 of the json-exporter[1] it was switched to a different jsonpath
library which made some changes - especially for spaces in keys -
necessary. Also I decided to remove the pretty-printed JSON as this
would interfere with the bash quoting too much. If one needs
pretty-printed output, they can still pipe the output to `jq`.
[1] https://github.com/prometheus-community/json_exporter/releases/tag/v0.3.0
(cherry picked from commit 976d668e5c5566c3e96b17d667830a0f3ed1bbb5)
Fixes a local privilege escalation using polkit_system_bus_name_get_creds_sync()
Fixes: CVE-2021-3560
(cherry picked from commit 26ac1d5db953292d78f0585dd8baccd9a36a44a4)
