this post was submitted on 28 Aug 2025
1 points (100.0% liked)

Neovim

2802 readers
2 users here now

founded 2 years ago
MODERATORS
erlingur@programming.dev
howarddo@programming.dev
lung@lemmy.world
1
Neovim security (lemmy.sdf.org)
submitted 7 months ago by witx@lemmy.sdf.org to c/neovim@programming.dev
3 comments fedilink hide all child comments
 

Hi,

As one of my machines is a bit more security sensitive I've been looking into securing neovim a bit more and not having Lua code "free running" on my machine. This is mostly an experiment

I've been happy with the (somewhat) sense of security firejail and neovim profile with no network option gives but then this all goes away once I need to run neovim with network access to update packages et al.

So my question is: is it possible to package all that I need to run neovim (Lua code, mason installed binaries, etc) into an app image or some other format to then run under firejail? Which folders would I need besides the usual ones (.config/neovim)

As for package updates I was thinking about doing it in my personal machine where I would then package everything and install it on the sensitive machine

top 3 comments
sorted by: hot top controversial new old
[–] dontmindmehere@programming.dev 0 points 7 months ago

there's already official appimages for neovim, I use them (but not with firejail) and they work fine. but the lsp stuff is all installed outside, my guess is it'd be really annoying to mantain a custom compiled appimage

the best option is probably to just run neovim inside a docker container, you can then mount the directories every time you run a neovim container (~/.config/nvim, ~/.local/share/nvim, optionally .local/state/nvim and your undodir/undofile, there may be more I'm not sure).

assuming you want to isolate your home directory, what gets annoying is giving it access to only the code you're editing, I've yet to try this but my next plan is to give it read access to $HOME, then read/write access to the neovim dirs, and then take an argument to mount the project directory

some other options which I also haven't tried are

  • distrobox, which just creates containers as well but by default wants to mount your entire homedir inside them
  • devcontainers
  • lspcontainers which isolate the LSP binaries themselves
  • LXC/LXD/Incus containers which behave a bit different from docker containers, could be worth looking into
[–] Samueru_sama@programming.dev 0 points 7 months ago

You can sandbox the neovim appimage with AM and then it will ask you what locations you want to give access to. https://github.com/ivan-hc/AM

am -i nvim

am --sandbox nvim

[–] farcaller@fstab.sh 0 points 7 months ago

If you want to go the "packaging way", you could use nix's nixCats-nvim to make a fully hermetic nvim installation where you track the origin of all the dependencies (LSPs too) and plugins, all with receipts and hashes and all the good stuff of a reproducible build system. The security industry likes reproducible build systems because there's only one way you can go from source to the artifact.

Then, you package that in e.g. a docker container (which nix can build for you, too) and ship where you need it.