Hakurei is a tool for running sandboxed desktop applications as dedicated subordinate users on the Linux kernel. It implements the application container of planterette (WIP), a self-contained Android-like package manager with modern security features.

Interaction with hakurei happens entirely through structures described by package hst. No native API is available due to internal details of uid isolation.

Notable Packages

Package container is general purpose container tooling. It is used by the hakurei shim process running as the target subordinate user to set up the application container. It has a single dependency, libseccomp, to create BPF programs for the system call filter.

Package internal/pkg provides infrastructure for hermetic builds. This replaces the legacy nix-based testing framework and serves as the build system of Rosa OS, currently developed under package internal/rosa.

Dependencies

container depends on:

• libseccomp to generate BPF programs.

cmd/hakurei depends on:

• acl to export sockets to subordinate users.
• wayland to set up security-context-v1.
• xcb to grant and revoke subordinate users access to the X server.

cmd/sharefs depends on:

• fuse to implement the filesystem.

New dependencies will generally not be added. Patches adding new dependencies are very likely to be rejected.

NixOS Module (deprecated)

The NixOS module is in maintenance mode and will be removed once planterette is feature-complete. Full module documentation can be found here.