Linux desktop application sandbox.
Go to file
Ophestra Umiker 9faf3b3596
test / test (push) Successful in 23s Details
app: validate username
This value is used for passwd generation. Bad input can cause very confusing issues. This is not a security issue, however validation will improve user experience.

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
2024-11-19 21:01:41 +09:00
.gitea/workflows app: integrate fsu 2024-11-16 21:19:45 +09:00
acl add package doc comments 2024-10-28 20:57:59 +09:00
cmd cmd/fshim/ipc: install signal handler on shim start 2024-11-18 13:33:46 +09:00
dbus add package doc comments 2024-10-28 20:57:59 +09:00
helper add package doc comments 2024-10-28 20:57:59 +09:00
internal app: validate username 2024-11-19 21:01:41 +09:00
ldd add package doc comments 2024-10-28 20:57:59 +09:00
xcb add package doc comments 2024-10-28 20:57:59 +09:00
.gitignore rename to fortify and restructure 2024-09-04 01:20:12 +09:00
LICENSE apply MIT license 2024-07-16 20:49:00 +09:00
README.md update README document 2024-11-19 18:14:06 +09:00
error.go fmsg: support temporarily withholding output 2024-10-26 23:09:32 +09:00
flake.lock nix: implement nixos module 2024-09-04 17:03:21 +09:00
flake.nix nix: update options doc 2024-11-19 18:12:35 +09:00
go.mod migrate to git.ophivana.moe/security/fortify 2024-10-20 19:50:13 +09:00
main.go fortify: permissive defaults resolve home directory from os 2024-11-18 13:01:07 +09:00
nixos.nix nix: module descriptions 2024-11-19 18:10:57 +09:00
options.md nix: update options doc 2024-11-19 18:12:35 +09:00
options.nix nix: module descriptions 2024-11-19 18:10:57 +09:00
package.nix release: 0.2.0 2024-11-19 18:15:09 +09:00

README.md

Fortify

Go Reference Go Report Card

Lets you run graphical applications as another user in a confined environment with a nice NixOS module to configure target users and provide launchers and desktop files for your privileged user.

Why would you want this?

  • It protects the desktop environment from applications.

  • It protects applications from each other.

  • It provides UID isolation on top of the standard application sandbox.

There are a few different things to set up for this to work:

  • A set of users, each for a group of applications that should be allowed access to each other

  • A tool to switch users, currently sudo and machinectl are supported.

  • If you are running NixOS, the module in this repository can take care of launchers and desktop files in the privileged user's environment, as well as packages and extra home-manager configuration for target users.

If you have a flakes-enabled nix environment, you can try out the tool by running:

nix run git+https://git.ophivana.moe/security/fortify -- -h

Module usage

The NixOS module currently requires home-manager to function correctly.

Full module documentation can be found here.

To use the module, import it into your configuration with

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";

    fortify = {
      url = "git+https://git.ophivana.moe/security/fortify";

      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, fortify, ... }:
  {
    nixosConfigurations.fortify = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        fortify.nixosModules.fortify
      ];
    };
  };
}

This adds the environment.fortify option:

{ pkgs, ... }:

{
  environment.fortify = {
    enable = true;
    stateDir = "/var/lib/persist/module/fortify";
    users = {
      alice = 0;
      nixos = 10;
    };

    apps = [
      {
        name = "chromium";
        id = "org.chromium.Chromium";
        packages = [ pkgs.chromium ];
        userns = true;
        mapRealUid = true;
        dbus = {
          system = {
            filter = true;
            talk = [
              "org.bluez"
              "org.freedesktop.Avahi"
              "org.freedesktop.UPower"
            ];
          };
          session =
            f:
            f {
              talk = [
                "org.freedesktop.DBus"
                "org.freedesktop.FileManager1"
                "org.freedesktop.Notifications"
                "org.freedesktop.ScreenSaver"
                "org.freedesktop.secrets"
                "org.kde.kwalletd5"
                "org.kde.kwalletd6"
              ];
              own = [
                "org.chromium.Chromium.*"
                "org.mpris.MediaPlayer2.org.chromium.Chromium.*"
                "org.mpris.MediaPlayer2.chromium.*"
              ];
              call = { };
              broadcast = { };
            };
        };
      }
      {
        name = "claws-mail";
        id = "org.claws_mail.Claws-Mail";
        packages = [ pkgs.claws-mail ];
        gpu = false;
        capability.pulse = false;
      }
      {
        name = "weechat";
        packages = [ pkgs.weechat ];
        capability = {
          wayland = false;
          x11 = false;
          dbus = true;
          pulse = false;
        };
      }
      {
        name = "discord";
        id = "dev.vencord.Vesktop";
        packages = [ pkgs.vesktop ];
        share = pkgs.vesktop;
        command = "vesktop --ozone-platform-hint=wayland";
        userns = true;
        mapRealUid = true;
        capability.x11 = true;
        dbus = {
          session =
            f:
            f {
              talk = [ "org.kde.StatusNotifierWatcher" ];
              own = [ ];
              call = { };
              broadcast = { };
            };
          system.filter = true;
        };
      }
      {
        name = "looking-glass-client";
        groups = [ "plugdev" ];
        extraPaths = [
          {
            src = "/dev/shm/looking-glass";
            write = true;
          }
        ];
        extraConfig = {
          programs.looking-glass-client.enable = true;
        };
      }
    ];
  };
}