xdg-autostart: Add readOnly option (#6629)

When `readOnly` is set to `true` the autostart entries are linked from
a readonly directory in the nix store and `XDG_CONFIG_HOME/autostart` is
a link to that directory, so that programs cannot install arbitrary
autostart services.

modules/misc/xdg-autostart.nix

@@ -1,25 +1,31 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   inherit (builtins) baseNameOf listToAttrs map unsafeDiscardStringContext;
   inherit (lib) literalExpression mkEnableOption mkIf mkOption types;
 
   cfg = config.xdg.autostart;
 
-  /* "/nix/store/x-foo/application.desktop" -> {
-       name = "autostart/application.desktop";
-       value = { source = "/nix/store/x-foo/application.desktop"; };
-     }
-  */
-  mapDesktopEntry = entry: {
-    name = "autostart/${unsafeDiscardStringContext (baseNameOf entry)}";
-    value.source = entry;
-  };
+  linkedDesktopEntries = pkgs.runCommandNoCCLocal "xdg-autostart-entries" { } ''
+    mkdir -p $out
+    ${lib.concatMapStringsSep "\n" (e: "ln -s ${e} $out") cfg.entries}
+  '';
+
 in {
   meta.maintainers = with lib.maintainers; [ Scrumplex ];
 
   options.xdg.autostart = {
     enable = mkEnableOption "creation of XDG autostart entries";
 
+    readOnly = mkOption {
+      type = lib.types.bool;
+      description = ''
+        Make `XDG_CONFIG_HOME/autostart` a symlink to a readonly directory so that
+        programs cannot install arbitrary autostart services.
+      '';
+      default = false;
+      example = true;
+    };
+
     entries = mkOption {
       type = with types; listOf path;
       description = ''
@@ -35,6 +41,9 @@ in {
   };
 
   config = mkIf (cfg.enable && cfg.entries != [ ]) {
-    xdg.configFile = listToAttrs (map mapDesktopEntry cfg.entries);
+    xdg.configFile.autostart = {
+      source = linkedDesktopEntries;
+      recursive = !cfg.readOnly;
+    };
   };
 }