WIP Android-style application sandbox for Linux desktop applications.

Go to file

Ophestra Umiker 1906853382 clean up setup/launcher code and enable better control over shares In the past Wayland, X and PulseAudio are shared unconditionally. This can unnecessarily increase attack surface as some of these resources might not be needed at all. This commit moves all environment preparation code to the internal app package and selectively call them based on flags. An "enablements" bitfield is introduced tracking all enabled shares. This value is registered after successful child process launch and stored in launcher states. Code responsible for running the child process is isolated to its own app/run file and cleaned up. Launch method selection is also extensively cleaned up. The internal state/track readLaunchers function now takes uid as an argument. Launcher state is now printed using text/tabwriter and argv is only emitted when verbose. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>		2024-09-08 02:24:01 +09:00
.gitea/workflows	workflows: rename binary to fortify	2024-09-04 01:27:04 +09:00
internal	clean up setup/launcher code and enable better control over shares	2024-09-08 02:24:01 +09:00
.gitignore	rename to fortify and restructure	2024-09-04 01:20:12 +09:00
LICENSE	apply MIT license	2024-07-16 20:49:00 +09:00
README.md	update README document	2024-09-04 19:54:35 +09:00
cli.go	clean up setup/launcher code and enable better control over shares	2024-09-08 02:24:01 +09:00
flake.lock	nix: implement nixos module	2024-09-04 17:03:21 +09:00
flake.nix	nix: implement nixos module	2024-09-04 17:03:21 +09:00
go.mod	rename to fortify and restructure	2024-09-04 01:20:12 +09:00
license.go	license: embed license in executable	2024-07-16 22:07:40 +09:00
main.go	clean up setup/launcher code and enable better control over shares	2024-09-08 02:24:01 +09:00
nixos.nix	nix: implement nixos module	2024-09-04 17:03:21 +09:00
package.nix	release: 1.0.4	2024-09-04 19:57:47 +09:00

README.md

Fortify

Lets you run graphical applications as another user ~~in an Android-like sandbox environment~~ (WIP) with a nice NixOS module to configure target users and provide launchers and desktop files for your privileged user.

Why would you want this?

It protects the desktop environment from applications.
It protects applications from each other.
It provides UID isolation on top of ~~the standard application sandbox~~ (WIP).

There are a few different things to set up for this to work:

A set of users, each for a group of applications that should be allowed access to each other
A tool to switch users, currently sudo and machinectl are supported.
If you are running NixOS, the module in this repository can take care of launchers and desktop files in the privileged user's environment, as well as packages and extra home-manager configuration for target users.

If you have a flakes-enabled nix environment, you can try out the tool by running:

nix run git+https://git.ophivana.moe/cat/fortify -- -h

Module usage

The NixOS module currently requires home-manager and impermanence to function correctly.

To use the module, import it into your configuration with

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";

    fortify = {
      url = "git+https://git.ophivana.moe/cat/fortify";

      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, fortify, ... }:
  {
    nixosConfigurations.fortify = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        fortify.nixosModules.fortify
      ];
    };
  };
}

This adds the environment.fortify option:

{ pkgs, ... }:

{
  environment.fortify = {
    enable = true;
    user = "nixos";
    shell = "zsh";
    stateDir = "/var/lib/persist/module";
    target = {
      chronos = {
        launchers = {
          weechat.method = "sudo";
          claws-mail.pulse = false;
          discord = {
            command = "vesktop --ozone-platform-hint=wayland";
            share = pkgs.vesktop;
          };
        };
        packages = with pkgs; [
          weechat
          claws-mail
          vesktop
        ];
        persistence.directories = [
          ".config/weechat"
          ".claws-mail"
          ".config/vesktop"
        ];
        extraConfig = {
          programs.looking-glass-client.enable = true;
        };
      };
    };
  };
}

enable determines whether the module should be enabled or not. Useful when sharing configurations between graphical and headless systems. Defaults to false.
user specifies the privileged user with access to fortified applications.
shell is the shell used to run the launch command, required for sourcing the home-manager environment.
stateDir is the path to your persistent storage location. It is directly passed through to the impermanence module.
target is an attribute set of submodules, where the attribute name is the username of the unprivileged target user.

The available options are:
- packages, the list of packages to make available in the target user's environment.
- persistence, user persistence attribute set passed to impermanence.
- extraConfig, extra home-manager configuration for the target user.
- launchers, attribute set where the attribute name is the name of the launcher.
  
  The available options are:
  - command, the command to run as the target user. Defaults to launcher name.
  - pulse, whether to share the PulseAudio socket and cookie.
  - share, package containing desktop/icon files. Defaults to launcher name.
  - method, the launch method for the sandboxed program, can be "fortify", "fortify-sudo", "sudo".