-
-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: hardening nixos desktops (#160)
* feat: hardening nixos desktops * refactor: move hardening to the root folder * feat: add nixpaks into nixpkgs via overlays * feat: nixpak - add netease music * docs: hardening * fix: nvidia * fix: disable apparmor & hardening profile to avoid neovim being killed * fix: firefox cursor & fonts
- Loading branch information
Showing
21 changed files
with
626 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,3 +4,4 @@ result/ | |
.DS_Store | ||
.pre-commit-config.yaml | ||
logs/ | ||
core* |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# Linux Hardening | ||
|
||
## Goal | ||
|
||
- **System Level**: Protect critical files from being accessed by untrusted applications. | ||
1. Such as browser cookies, SSH keys, etc. | ||
- **Per-App Level**: Prevent untrusted applications(such as closed-source apps) from: | ||
1. Accessing files they shouldn't. | ||
- Such as a malicious application accessing your browser's cookies, SSH Keys, etc. | ||
1. Accessing the network when they don't need to. | ||
1. Accessing hardware devices they don't need. | ||
|
||
## Kernel Hardening | ||
|
||
- NixOS Kernel Config: | ||
https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/kernel/hardened/config.nix | ||
|
||
## System Hardening | ||
|
||
- NixOS Profile: | ||
https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix | ||
- Apparmor: [roddhjav/apparmor.d)](https://github.com/roddhjav/apparmor.d) | ||
- https://gitlab.com/apparmor/apparmor/-/wikis/Documentation | ||
- AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based | ||
applications and processes. | ||
- Nix Package: | ||
[roddhjav-apparmor-rules](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/ro/roddhjav-apparmor-rules/package.nix#L33) | ||
- https://github.com/NixOS/nixpkgs/issues/331645 | ||
- SELinux: too complex, not recommended for personal use. | ||
|
||
## Application Sandboxing | ||
|
||
- [Firejail](https://github.com/netblue30/firejail/tree/master/etc): A SUID security sandbox with | ||
hundreds of security profiles for many common applications in the default installation. | ||
- https://wiki.nixos.org/wiki/Firejail | ||
- Firejail needs SUID to work, which is considered a security risk - | ||
[Does firejail improve the security of my system?](https://github.com/netblue30/firejail/discussions/4601) | ||
- [Bubblewrap](https://github.com/containers/bubblewrap): | ||
[nixpak](https://github.com/nixpak/nixpak), more secure than firejail, but no batteries included. | ||
- NixOS's FHSEnv is implemented using bubblewrap by default. | ||
- [Systemd/Hardening](https://wiki.nixos.org/wiki/Systemd/Hardening): Systemd also provides some | ||
sandboxing features. | ||
|
||
## NOTE | ||
|
||
**Running untrusted code is never safe, kernel hardening & sandboxing cannot change this**. | ||
|
||
If you want to run untrusted code, please use a VM & an isolated network environment, which will | ||
provide a much higher level of security. | ||
|
||
## References | ||
|
||
- [Harden your NixOS workstation - dataswamp](https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html) | ||
- [Linux Insecurities - Madaidans](https://madaidans-insecurities.github.io/linux.html) | ||
- [Sandboxing all programs by default - NixOS Discourse](https://discourse.nixos.org/t/sandboxing-all-programs-by-default/7792) | ||
- [在 Firejail 中运行 Steam](https://imbearchild.cyou/archives/2021/11/steam-in-firejail/) | ||
- [Firejail - Arch Linux Wiki](https://wiki.archlinux.org/title/Firejail) | ||
- nixpak configs: | ||
- https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application | ||
- https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak | ||
- https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak | ||
- https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix | ||
- firejail configs: | ||
- https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261 | ||
- apparmor configs: | ||
- https://github.com/sukhmancs/nixos-configs/blob/7fcf737c506ad843113cd5b94796b49d4d4dfad2/modules/shared/security/apparmor/default.nix#L8 | ||
- https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4 | ||
- Others: | ||
- Directly via `buildFHSUserEnvBubblewrap`: | ||
https://github.com/xddxdd/nur-packages/blob/master/pkgs/uncategorized/wechat-uos/default.nix |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
{ | ||
config, | ||
pkgs, | ||
... | ||
}: { | ||
services.dbus.apparmor = "enabled"; | ||
security.apparmor = { | ||
enable = true; | ||
|
||
# kill process that are not confined but have apparmor profiles enabled | ||
killUnconfinedConfinables = true; | ||
packages = with pkgs; [ | ||
apparmor-utils | ||
apparmor-profiles | ||
]; | ||
|
||
# apparmor policies | ||
policies = { | ||
"default_deny" = { | ||
enforce = false; | ||
enable = false; | ||
profile = '' | ||
profile default_deny /** { } | ||
''; | ||
}; | ||
|
||
"sudo" = { | ||
enforce = false; | ||
enable = false; | ||
profile = '' | ||
${pkgs.sudo}/bin/sudo { | ||
file /** rwlkUx, | ||
} | ||
''; | ||
}; | ||
|
||
"nix" = { | ||
enforce = false; | ||
enable = false; | ||
profile = '' | ||
${config.nix.package}/bin/nix { | ||
unconfined, | ||
} | ||
''; | ||
}; | ||
}; | ||
}; | ||
|
||
environment.systemPackages = with pkgs; [ | ||
apparmor-bin-utils | ||
apparmor-profiles | ||
apparmor-parser | ||
libapparmor | ||
apparmor-kernel-patches | ||
apparmor-pam | ||
apparmor-utils | ||
]; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
{pkgs, ...}: let | ||
firejailWrapper = import ./firejailWrapper.nix pkgs; | ||
in { | ||
programs.firejail.enable = true; | ||
|
||
# Add firejailed Apps into nixsuper, and reference them in home-manager or other nixos modules | ||
nixpkgs.overlays = [ | ||
(_: super: { | ||
firejailed = { | ||
steam = firejailWrapper { | ||
name = "steam-firejailed"; | ||
executable = "${super.steam}/bin/steam"; | ||
profile = "${super.firejail}/etc/firejail/steam.profile"; | ||
}; | ||
steam-run = firejailWrapper { | ||
name = "steam-run-firejailed"; | ||
executable = "${super.steam}/bin/steam-run"; | ||
profile = "${super.firejail}/etc/firejail/steam.profile"; | ||
}; | ||
|
||
# firefox = firejailWrapper { | ||
# name = "firefox-firejailed"; | ||
# executable = "${super.lib.getBin super.firefox-wayland}/bin/firefox"; | ||
# profile = "${super.firejail}/etc/firejail/firefox.profile"; | ||
# }; | ||
# chromium = firejailWrapper { | ||
# name = "chromium-firejailed"; | ||
# executable = "${super.lib.getBin super.ungoogled-chromium}/bin/chromium"; | ||
# profile = "${super.firejail}/etc/firejail/chromium.profile"; | ||
# }; | ||
|
||
mpv = firejailWrapper { | ||
executable = "${super.lib.getBin super.mpv}/bin/mpv"; | ||
profile = "${super.firejail}/etc/firejail/mpv.profile"; | ||
}; | ||
imv = firejailWrapper { | ||
executable = "${super.lib.getBin super.imv}/bin/imv"; | ||
profile = "${super.firejail}/etc/firejail/imv.profile"; | ||
}; | ||
zathura = firejailWrapper { | ||
executable = "${super.lib.getBin super.zathura}/bin/zathura"; | ||
profile = "${super.firejail}/etc/firejail/zathura.profile"; | ||
}; | ||
discord = firejailWrapper { | ||
executable = "${super.lib.getBin super.discord}/bin/discord"; | ||
profile = "${super.firejail}/etc/firejail/discord.profile"; | ||
}; | ||
slack = firejailWrapper { | ||
executable = "${super.lib.getBin super.slack}/bin/slack"; | ||
profile = "${super.firejail}/etc/firejail/slack.profile"; | ||
}; | ||
telegram-desktop = firejailWrapper { | ||
executable = "${super.lib.getBin super.tdesktop}/bin/telegram-desktop"; | ||
profile = "${super.firejail}/etc/firejail/telegram-desktop.profile"; | ||
}; | ||
brave = firejailWrapper { | ||
executable = "${super.lib.getBin super.brave}/bin/brave"; | ||
profile = "${super.firejail}/etc/firejail/brave.profile"; | ||
}; | ||
qutebrowser = firejailWrapper { | ||
executable = "${super.lib.getBin super.qutebrowser}/bin/qutebrowser"; | ||
profile = "${super.firejail}/etc/firejail/qutebrowser.profile"; | ||
}; | ||
thunar = firejailWrapper { | ||
executable = "${super.lib.getBin super.xfce.thunar}/bin/thunar"; | ||
profile = "${super.firejail}/etc/firejail/thunar.profile"; | ||
}; | ||
vscodium = firejailWrapper { | ||
executable = "${super.lib.getBin super.vscodium}/bin/vscodium"; | ||
profile = "${super.firejail}/etc/firejail/vscodium.profile"; | ||
}; | ||
}; | ||
}) | ||
]; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# https://www.reddit.com/r/NixOS/comments/1b56jdx/simple_nix_function_for_wrapping_executables_with/ | ||
pkgs: { | ||
name ? "firejail-wrapper", | ||
executable, | ||
desktop ? null, | ||
profile ? null, | ||
extraArgs ? [], | ||
}: | ||
pkgs.runCommand name | ||
{ | ||
preferLocalBuild = true; | ||
allowSubstitutes = false; | ||
meta.priority = -1; # take precedence over non-firejailed versions | ||
} | ||
( | ||
let | ||
firejailArgs = pkgs.lib.concatStringsSep " " ( | ||
extraArgs ++ (pkgs.lib.optional (profile != null) "--profile=${toString profile}") | ||
); | ||
in | ||
'' | ||
command_path="$out/bin/$(basename ${executable})-jailed" | ||
mkdir -p $out/bin | ||
mkdir -p $out/share/applications | ||
cat <<'_EOF' >"$command_path" | ||
#! ${pkgs.runtimeShell} -e | ||
exec /run/wrappers/bin/firejail ${firejailArgs} -- ${toString executable} "\$@" | ||
_EOF | ||
chmod 0755 "$command_path" | ||
'' | ||
+ pkgs.lib.optionalString (desktop != null) '' | ||
substitute ${desktop} $out/share/applications/$(basename ${desktop}) \ | ||
--replace ${executable} "$command_path" | ||
'' | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
{ | ||
pkgs, | ||
nixpak, | ||
... | ||
}: let | ||
callArgs = { | ||
mkNixPak = nixpak.lib.nixpak { | ||
inherit (pkgs) lib; | ||
inherit pkgs; | ||
}; | ||
safeBind = sloth: realdir: mapdir: [ | ||
(sloth.mkdir (sloth.concat' sloth.appDataDir realdir)) | ||
(sloth.concat' sloth.homeDir mapdir) | ||
]; | ||
}; | ||
wrapper = _pkgs: path: (_pkgs.callPackage path callArgs).config.script; | ||
in { | ||
# Add nixpaked Apps into nixpkgs, and reference them in home-manager or other nixos modules | ||
nixpkgs.overlays = [ | ||
(_: super: { | ||
nixpaks = { | ||
qq = wrapper super ./qq.nix; | ||
qq-desktop-item = super.callPackage ./qq-desktop-item.nix {}; | ||
|
||
firefox = wrapper super ./firefox.nix; | ||
firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {}; | ||
}; | ||
}) | ||
]; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{makeDesktopItem}: | ||
makeDesktopItem { | ||
name = "firefox"; | ||
desktopName = "firefox"; | ||
exec = "firefox %U"; | ||
terminal = false; | ||
icon = "firefox"; | ||
type = "Application"; | ||
categories = ["Network"]; | ||
comment = "firefox boxed"; | ||
} |
Oops, something went wrong.