README
¶
Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel. It implements the application container of planterette (WIP), a self-contained Android-like package manager with modern security features.
NixOS Module usage
The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found here.
To use the module, import it into your configuration with
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
hakurei = {
url = "git+https://git.gensokyo.uk/security/hakurei";
# Optional but recommended to limit the size of your system closure.
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, hakurei, ... }:
{
nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
hakurei.nixosModules.hakurei
];
};
};
}
This adds the environment.hakurei option:
{ pkgs, ... }:
{
environment.hakurei = {
enable = true;
stateDir = "/var/lib/hakurei";
users = {
alice = 0;
nixos = 10;
};
commonPaths = [
{
src = "/sdcard";
write = true;
}
];
extraHomeConfig = {
home.stateVersion = "23.05";
};
apps = {
"org.chromium.Chromium" = {
name = "chromium";
identity = 1;
packages = [ pkgs.chromium ];
userns = true;
mapRealUid = true;
dbus = {
system = {
filter = true;
talk = [
"org.bluez"
"org.freedesktop.Avahi"
"org.freedesktop.UPower"
];
};
session =
f:
f {
talk = [
"org.freedesktop.FileManager1"
"org.freedesktop.Notifications"
"org.freedesktop.ScreenSaver"
"org.freedesktop.secrets"
"org.kde.kwalletd5"
"org.kde.kwalletd6"
];
own = [
"org.chromium.Chromium.*"
"org.mpris.MediaPlayer2.org.chromium.Chromium.*"
"org.mpris.MediaPlayer2.chromium.*"
];
call = { };
broadcast = { };
};
};
};
"org.claws_mail.Claws-Mail" = {
name = "claws-mail";
identity = 2;
packages = [ pkgs.claws-mail ];
gpu = false;
capability.pulse = false;
};
"org.weechat" = {
name = "weechat";
identity = 3;
shareUid = true;
packages = [ pkgs.weechat ];
capability = {
wayland = false;
x11 = false;
dbus = true;
pulse = false;
};
};
"dev.vencord.Vesktop" = {
name = "discord";
identity = 3;
shareUid = true;
packages = [ pkgs.vesktop ];
share = pkgs.vesktop;
command = "vesktop --ozone-platform-hint=wayland";
userns = true;
mapRealUid = true;
capability.x11 = true;
dbus = {
session =
f:
f {
talk = [ "org.kde.StatusNotifierWatcher" ];
own = [ ];
call = { };
broadcast = { };
};
system.filter = true;
};
};
"io.looking-glass" = {
name = "looking-glass-client";
identity = 4;
useCommonPaths = false;
groups = [ "plugdev" ];
extraPaths = [
{
src = "/dev/shm/looking-glass";
write = true;
}
];
extraConfig = {
programs.looking-glass-client.enable = true;
};
};
};
};
}
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
hakurei
command
|
|
|
hpkg
command
|
|
|
hsu
command
|
|
|
Package command implements generic nested command parsing.
|
Package command implements generic nested command parsing. |
|
Package container implements unprivileged Linux containers with built-in support for syscall filtering.
|
Package container implements unprivileged Linux containers with built-in support for syscall filtering. |
|
check
Package check provides types yielding values checked to meet a condition.
|
Package check provides types yielding values checked to meet a condition. |
|
fhs
Package fhs provides constant and checked pathname values for common FHS paths.
|
Package fhs provides constant and checked pathname values for common FHS paths. |
|
std
Package std contains constants from container packages without depending on cgo.
|
Package std contains constants from container packages without depending on cgo. |
|
stub
Package stub provides function call level stubbing and validation for library functions that are impossible to check otherwise.
|
Package stub provides function call level stubbing and validation for library functions that are impossible to check otherwise. |
|
vfs
Package vfs provides bindings and iterators over proc_pid_mountinfo(5).
|
Package vfs provides bindings and iterators over proc_pid_mountinfo(5). |
|
Package helper exposes the internal/helper package.
|
Package helper exposes the internal/helper package. |
|
proc
Deprecated: This package will be removed in 0.4.
|
Deprecated: This package will be removed in 0.4. |
|
Package hst exports stable shared types for interacting with hakurei.
|
Package hst exports stable shared types for interacting with hakurei. |
|
internal
|
|
|
acl
Package acl implements simple ACL manipulation via libacl.
|
Package acl implements simple ACL manipulation via libacl. |
|
dbus
Package dbus wraps xdg-dbus-proxy and implements configuration and sandboxing of the underlying helper process.
|
Package dbus wraps xdg-dbus-proxy and implements configuration and sandboxing of the underlying helper process. |
|
env
Package env provides the Paths struct for efficiently building paths from the environment.
|
Package env provides the Paths struct for efficiently building paths from the environment. |
|
helper
Package helper runs external helpers with optional sandboxing.
|
Package helper runs external helpers with optional sandboxing. |
|
lockedfile
Package lockedfile creates and manipulates files whose contents should only change atomically.
|
Package lockedfile creates and manipulates files whose contents should only change atomically. |
|
lockedfile/internal/filelock
Package filelock provides a platform-independent API for advisory file locking.
|
Package filelock provides a platform-independent API for advisory file locking. |
|
outcome
Package outcome implements the outcome of the privileged and container sides of a hakurei container.
|
Package outcome implements the outcome of the privileged and container sides of a hakurei container. |
|
pipewire
Package pipewire provides a partial implementation of the PipeWire protocol native.
|
Package pipewire provides a partial implementation of the PipeWire protocol native. |
|
store
Package store implements cross-process state tracking for hakurei container instances.
|
Package store implements cross-process state tracking for hakurei container instances. |
|
system
Package system provides helpers to apply and revert groups of operations to the system.
|
Package system provides helpers to apply and revert groups of operations to the system. |
|
validate
Package validate provides functions for validating string values of various types.
|
Package validate provides functions for validating string values of various types. |
|
wayland
Package wayland implements Wayland security_context_v1 protocol.
|
Package wayland implements Wayland security_context_v1 protocol. |
|
xcb
Package xcb implements X11 ChangeHosts via libxcb.
|
Package xcb implements X11 ChangeHosts via libxcb. |
|
Package ldd provides a robust parser for ldd(1) output, and a convenience function for running ldd(1) in a strict sandbox.
|
Package ldd provides a robust parser for ldd(1) output, and a convenience function for running ldd(1) in a strict sandbox. |
|
Package message provides interfaces and a base implementation for extended reporting on top of log.Logger
|
Package message provides interfaces and a base implementation for extended reporting on top of log.Logger |
|
Package system exposes the internal/system package.
|
Package system exposes the internal/system package. |
|
acl
Package acl exposes the internal/acl package.
|
Package acl exposes the internal/acl package. |
|
dbus
Package dbus exposes the internal/dbus package.
|
Package dbus exposes the internal/dbus package. |
|
wayland
Package wayland exposes the internal/wayland package.
|
Package wayland exposes the internal/wayland package. |
Click to show internal directories.
Click to hide internal directories.