feat: hardening nixos desktops (#160)

* feat: hardening nixos desktops

* refactor: move hardening to the root folder

* feat: add nixpaks into nixpkgs via overlays

* feat: nixpak - add netease music

* docs: hardening

* fix: nvidia

* fix: disable apparmor & hardening profile to avoid neovim being killed

* fix: firefox cursor & fonts

.gitignore

@@ -4,3 +4,4 @@ result/
 .DS_Store
 .pre-commit-config.yaml
 logs/
+core*

flake.nix

@@ -106,6 +106,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    nixpak = {
+      url = "github:nixpak/nixpak";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     ########################  Some non-flake repositories  #########################################
 
     # doom-emacs is a configuration framework for GNU Emacs.

hardening/README.md

@@ -0,0 +1,70 @@
+# Linux Hardening
+
+## Goal
+
+- **System Level**: Protect critical files from being accessed by untrusted applications.
+  1. Such as browser cookies, SSH keys, etc.
+- **Per-App Level**: Prevent untrusted applications(such as closed-source apps) from:
+  1.  Accessing files they shouldn't.
+      - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
+  1.  Accessing the network when they don't need to.
+  1.  Accessing hardware devices they don't need.
+
+## Kernel Hardening
+
+- NixOS Kernel Config:
+  https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/kernel/hardened/config.nix
+
+## System Hardening
+
+- NixOS Profile:
+  https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix
+- Apparmor: [roddhjav/apparmor.d)](https://github.com/roddhjav/apparmor.d)
+  - https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
+  - AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based
+    applications and processes.
+  - Nix Package:
+    [roddhjav-apparmor-rules](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/ro/roddhjav-apparmor-rules/package.nix#L33)
+  - https://github.com/NixOS/nixpkgs/issues/331645
+- SELinux: too complex, not recommended for personal use.
+
+## Application Sandboxing
+
+- [Firejail](https://github.com/netblue30/firejail/tree/master/etc): A SUID security sandbox with
+  hundreds of security profiles for many common applications in the default installation.
+  - https://wiki.nixos.org/wiki/Firejail
+  - Firejail needs SUID to work, which is considered a security risk -
+    [Does firejail improve the security of my system?](https://github.com/netblue30/firejail/discussions/4601)
+- [Bubblewrap](https://github.com/containers/bubblewrap):
+  [nixpak](https://github.com/nixpak/nixpak), more secure than firejail, but no batteries included.
+  - NixOS's FHSEnv is implemented using bubblewrap by default.
+- [Systemd/Hardening](https://wiki.nixos.org/wiki/Systemd/Hardening): Systemd also provides some
+  sandboxing features.
+
+## NOTE
+
+**Running untrusted code is never safe, kernel hardening & sandboxing cannot change this**.
+
+If you want to run untrusted code, please use a VM & an isolated network environment, which will
+provide a much higher level of security.
+
+## References
+
+- [Harden your NixOS workstation - dataswamp](https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html)
+- [Linux Insecurities - Madaidans](https://madaidans-insecurities.github.io/linux.html)
+- [Sandboxing all programs by default - NixOS Discourse](https://discourse.nixos.org/t/sandboxing-all-programs-by-default/7792)
+- [在 Firejail 中运行 Steam](https://imbearchild.cyou/archives/2021/11/steam-in-firejail/)
+- [Firejail - Arch Linux Wiki](https://wiki.archlinux.org/title/Firejail)
+- nixpak configs:
+  - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application
+  - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak
+  - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak
+  - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix
+- firejail configs:
+  - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261
+- apparmor configs:
+  - https://github.com/sukhmancs/nixos-configs/blob/7fcf737c506ad843113cd5b94796b49d4d4dfad2/modules/shared/security/apparmor/default.nix#L8
+  - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4
+- Others:
+  - Directly via `buildFHSUserEnvBubblewrap`:
+    https://github.com/xddxdd/nur-packages/blob/master/pkgs/uncategorized/wechat-uos/default.nix

hardening/apparmor/default.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.dbus.apparmor = "enabled";
+  security.apparmor = {
+    enable = true;
+
+    # kill process that are not confined but have apparmor profiles enabled
+    killUnconfinedConfinables = true;
+    packages = with pkgs; [
+      apparmor-utils
+      apparmor-profiles
+    ];
+
+    # apparmor policies
+    policies = {
+      "default_deny" = {
+        enforce = false;
+        enable = false;
+        profile = ''
+          profile default_deny /** { }
+        '';
+      };
+
+      "sudo" = {
+        enforce = false;
+        enable = false;
+        profile = ''
+          ${pkgs.sudo}/bin/sudo {
+            file /** rwlkUx,
+          }
+        '';
+      };
+
+      "nix" = {
+        enforce = false;
+        enable = false;
+        profile = ''
+          ${config.nix.package}/bin/nix {
+            unconfined,
+          }
+        '';
+      };
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    apparmor-bin-utils
+    apparmor-profiles
+    apparmor-parser
+    libapparmor
+    apparmor-kernel-patches
+    apparmor-pam
+    apparmor-utils
+  ];
+}

hardening/firejail/default.nix

@@ -0,0 +1,75 @@
+{pkgs, ...}: let
+  firejailWrapper = import ./firejailWrapper.nix pkgs;
+in {
+  programs.firejail.enable = true;
+
+  # Add firejailed Apps into nixsuper, and reference them in home-manager or other nixos modules
+  nixpkgs.overlays = [
+    (_: super: {
+      firejailed = {
+        steam = firejailWrapper {
+          name = "steam-firejailed";
+          executable = "${super.steam}/bin/steam";
+          profile = "${super.firejail}/etc/firejail/steam.profile";
+        };
+        steam-run = firejailWrapper {
+          name = "steam-run-firejailed";
+          executable = "${super.steam}/bin/steam-run";
+          profile = "${super.firejail}/etc/firejail/steam.profile";
+        };
+
+        # firefox = firejailWrapper {
+        #   name = "firefox-firejailed";
+        #   executable = "${super.lib.getBin super.firefox-wayland}/bin/firefox";
+        #   profile = "${super.firejail}/etc/firejail/firefox.profile";
+        # };
+        # chromium = firejailWrapper {
+        #   name = "chromium-firejailed";
+        #   executable = "${super.lib.getBin super.ungoogled-chromium}/bin/chromium";
+        #   profile = "${super.firejail}/etc/firejail/chromium.profile";
+        # };
+
+        mpv = firejailWrapper {
+          executable = "${super.lib.getBin super.mpv}/bin/mpv";
+          profile = "${super.firejail}/etc/firejail/mpv.profile";
+        };
+        imv = firejailWrapper {
+          executable = "${super.lib.getBin super.imv}/bin/imv";
+          profile = "${super.firejail}/etc/firejail/imv.profile";
+        };
+        zathura = firejailWrapper {
+          executable = "${super.lib.getBin super.zathura}/bin/zathura";
+          profile = "${super.firejail}/etc/firejail/zathura.profile";
+        };
+        discord = firejailWrapper {
+          executable = "${super.lib.getBin super.discord}/bin/discord";
+          profile = "${super.firejail}/etc/firejail/discord.profile";
+        };
+        slack = firejailWrapper {
+          executable = "${super.lib.getBin super.slack}/bin/slack";
+          profile = "${super.firejail}/etc/firejail/slack.profile";
+        };
+        telegram-desktop = firejailWrapper {
+          executable = "${super.lib.getBin super.tdesktop}/bin/telegram-desktop";
+          profile = "${super.firejail}/etc/firejail/telegram-desktop.profile";
+        };
+        brave = firejailWrapper {
+          executable = "${super.lib.getBin super.brave}/bin/brave";
+          profile = "${super.firejail}/etc/firejail/brave.profile";
+        };
+        qutebrowser = firejailWrapper {
+          executable = "${super.lib.getBin super.qutebrowser}/bin/qutebrowser";
+          profile = "${super.firejail}/etc/firejail/qutebrowser.profile";
+        };
+        thunar = firejailWrapper {
+          executable = "${super.lib.getBin super.xfce.thunar}/bin/thunar";
+          profile = "${super.firejail}/etc/firejail/thunar.profile";
+        };
+        vscodium = firejailWrapper {
+          executable = "${super.lib.getBin super.vscodium}/bin/vscodium";
+          profile = "${super.firejail}/etc/firejail/vscodium.profile";
+        };
+      };
+    })
+  ];
+}

hardening/firejail/firejailWrapper.nix

@@ -0,0 +1,35 @@
+# https://www.reddit.com/r/NixOS/comments/1b56jdx/simple_nix_function_for_wrapping_executables_with/
+pkgs: {
+  name ? "firejail-wrapper",
+  executable,
+  desktop ? null,
+  profile ? null,
+  extraArgs ? [],
+}:
+pkgs.runCommand name
+{
+  preferLocalBuild = true;
+  allowSubstitutes = false;
+  meta.priority = -1; # take precedence over non-firejailed versions
+}
+(
+  let
+    firejailArgs = pkgs.lib.concatStringsSep " " (
+      extraArgs ++ (pkgs.lib.optional (profile != null) "--profile=${toString profile}")
+    );
+  in
+    ''
+      command_path="$out/bin/$(basename ${executable})-jailed"
+      mkdir -p $out/bin
+      mkdir -p $out/share/applications
+      cat <<'_EOF' >"$command_path"
+      #! ${pkgs.runtimeShell} -e
+      exec /run/wrappers/bin/firejail ${firejailArgs} -- ${toString executable} "\$@"
+      _EOF
+      chmod 0755 "$command_path"
+    ''
+    + pkgs.lib.optionalString (desktop != null) ''
+      substitute ${desktop} $out/share/applications/$(basename ${desktop}) \
+        --replace ${executable} "$command_path"
+    ''
+)

hardening/nixpaks/default.nix

@@ -0,0 +1,30 @@
+{
+  pkgs,
+  nixpak,
+  ...
+}: let
+  callArgs = {
+    mkNixPak = nixpak.lib.nixpak {
+      inherit (pkgs) lib;
+      inherit pkgs;
+    };
+    safeBind = sloth: realdir: mapdir: [
+      (sloth.mkdir (sloth.concat' sloth.appDataDir realdir))
+      (sloth.concat' sloth.homeDir mapdir)
+    ];
+  };
+  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs).config.script;
+in {
+  # Add nixpaked Apps into nixpkgs, and reference them in home-manager or other nixos modules
+  nixpkgs.overlays = [
+    (_: super: {
+      nixpaks = {
+        qq = wrapper super ./qq.nix;
+        qq-desktop-item = super.callPackage ./qq-desktop-item.nix {};
+
+        firefox = wrapper super ./firefox.nix;
+        firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {};
+      };
+    })
+  ];
+}

hardening/nixpaks/firefox-desktop-item.nix

@@ -0,0 +1,11 @@
+{makeDesktopItem}:
+makeDesktopItem {
+  name = "firefox";
+  desktopName = "firefox";
+  exec = "firefox %U";
+  terminal = false;
+  icon = "firefox";
+  type = "Application";
+  categories = ["Network"];
+  comment = "firefox boxed";
+}