Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
This commit is contained in:
parent
4d90e73366
commit
2e31b3d3a1
97
README.md
97
README.md
@ -2,6 +2,7 @@ Fortify
|
|||||||
=======
|
=======
|
||||||
|
|
||||||
[![Go Reference](https://pkg.go.dev/badge/git.ophivana.moe/security/fortify.svg)](https://pkg.go.dev/git.ophivana.moe/security/fortify)
|
[![Go Reference](https://pkg.go.dev/badge/git.ophivana.moe/security/fortify.svg)](https://pkg.go.dev/git.ophivana.moe/security/fortify)
|
||||||
|
[![Go Report Card](https://goreportcard.com/badge/git.ophivana.moe/security/fortify)](https://goreportcard.com/report/git.ophivana.moe/security/fortify)
|
||||||
|
|
||||||
Lets you run graphical applications as another user in a confined environment with a nice NixOS
|
Lets you run graphical applications as another user in a confined environment with a nice NixOS
|
||||||
module to configure target users and provide launchers and desktop files for your privileged user.
|
module to configure target users and provide launchers and desktop files for your privileged user.
|
||||||
@ -77,40 +78,54 @@ This adds the `environment.fortify` option:
|
|||||||
claws-mail.capability.pulse = false;
|
claws-mail.capability.pulse = false;
|
||||||
|
|
||||||
discord = {
|
discord = {
|
||||||
|
id = "dev.vencord.Vesktop";
|
||||||
command = "vesktop --ozone-platform-hint=wayland";
|
command = "vesktop --ozone-platform-hint=wayland";
|
||||||
|
userns = true;
|
||||||
|
useRealUid = true;
|
||||||
|
dbus = {
|
||||||
|
session =
|
||||||
|
f:
|
||||||
|
f {
|
||||||
|
talk = [ "org.kde.StatusNotifierWatcher" ];
|
||||||
|
own = [ ];
|
||||||
|
call = { };
|
||||||
|
broadcast = { };
|
||||||
|
};
|
||||||
|
system.filter = true;
|
||||||
|
};
|
||||||
share = pkgs.vesktop;
|
share = pkgs.vesktop;
|
||||||
};
|
};
|
||||||
|
|
||||||
chromium.dbus = {
|
chromium = {
|
||||||
configSystem = {
|
id = "org.chromium.Chromium";
|
||||||
filter = true;
|
userns = true;
|
||||||
talk = [
|
useRealUid = true;
|
||||||
"org.bluez"
|
dbus = {
|
||||||
"org.freedesktop.Avahi"
|
system = {
|
||||||
"org.freedesktop.UPower"
|
filter = true;
|
||||||
];
|
talk = [
|
||||||
};
|
"org.bluez"
|
||||||
config = {
|
"org.freedesktop.Avahi"
|
||||||
filter = true;
|
"org.freedesktop.UPower"
|
||||||
talk = [
|
];
|
||||||
"org.freedesktop.DBus"
|
|
||||||
"org.freedesktop.FileManager1"
|
|
||||||
"org.freedesktop.Notifications"
|
|
||||||
"org.freedesktop.ScreenSaver"
|
|
||||||
"org.freedesktop.secrets"
|
|
||||||
"org.kde.kwalletd5"
|
|
||||||
"org.kde.kwalletd6"
|
|
||||||
];
|
|
||||||
own = [
|
|
||||||
"org.chromium.Chromium.*"
|
|
||||||
"org.mpris.MediaPlayer2.org.chromium.Chromium.*"
|
|
||||||
"org.mpris.MediaPlayer2.chromium.*"
|
|
||||||
];
|
|
||||||
call = {
|
|
||||||
"org.freedesktop.portal.*" = "*";
|
|
||||||
};
|
};
|
||||||
broadcast = {
|
session = f: f {
|
||||||
"org.freedesktop.portal.*" = "@/org/freedesktop/portal/*";
|
talk = [
|
||||||
|
"org.freedesktop.DBus"
|
||||||
|
"org.freedesktop.FileManager1"
|
||||||
|
"org.freedesktop.Notifications"
|
||||||
|
"org.freedesktop.ScreenSaver"
|
||||||
|
"org.freedesktop.secrets"
|
||||||
|
"org.kde.kwalletd5"
|
||||||
|
"org.kde.kwalletd6"
|
||||||
|
];
|
||||||
|
own = [
|
||||||
|
"org.chromium.Chromium.*"
|
||||||
|
"org.mpris.MediaPlayer2.org.chromium.Chromium.*"
|
||||||
|
"org.mpris.MediaPlayer2.chromium.*"
|
||||||
|
];
|
||||||
|
call = { };
|
||||||
|
broadcast = { };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -156,15 +171,29 @@ This adds the `environment.fortify` option:
|
|||||||
|
|
||||||
The available options are:
|
The available options are:
|
||||||
|
|
||||||
|
* `id`, the freedesktop application ID, primarily used by dbus, null to disable.
|
||||||
|
|
||||||
* `command`, the command to run as the target user. Defaults to launcher name.
|
* `command`, the command to run as the target user. Defaults to launcher name.
|
||||||
|
|
||||||
* `dbus.config`, D-Bus proxy custom configuration.
|
* `dbus.session`, D-Bus session proxy custom configuration.
|
||||||
|
|
||||||
* `dbus.configSystem`, D-Bus system bus custom configuration, null to disable.
|
* `dbus.configSystem`, D-Bus system proxy custom configuration, null to disable.
|
||||||
|
|
||||||
* `dbus.id`, D-Bus application id, has no effect if `dbus.config` is set.
|
* `env`, attrset of environment variables to set for the initial process in the sandbox.
|
||||||
|
|
||||||
* `dbus.mpris`, whether to enable MPRIS defaults, has no effect if `dbus.config` is set.
|
* `nix`, whether to allow nix daemon connections from within the sandbox.
|
||||||
|
|
||||||
|
* `userns`, whether to allow userns within the sandbox.
|
||||||
|
|
||||||
|
* `useRealUid`, whether to map to the real UID within the sandbox.
|
||||||
|
|
||||||
|
* `net`, whether to allow network access within the sandbox.
|
||||||
|
|
||||||
|
* `gpu`, target process GPU and driver access, null to follow Wayland or X capability.
|
||||||
|
|
||||||
|
* `dev`, whether to allow full device access within the sandbox.
|
||||||
|
|
||||||
|
* `extraPaths`, a list of extra paths to make available inside the sandbox.
|
||||||
|
|
||||||
* `capability.wayland`, whether to share the Wayland socket.
|
* `capability.wayland`, whether to share the Wayland socket.
|
||||||
|
|
||||||
@ -176,4 +205,4 @@ This adds the `environment.fortify` option:
|
|||||||
|
|
||||||
* `share`, package containing desktop/icon files. Defaults to launcher name.
|
* `share`, package containing desktop/icon files. Defaults to launcher name.
|
||||||
|
|
||||||
* `method`, the launch method for the sandboxed program, can be `"fortify"`, `"fortify-sudo"`, `"sudo"`.
|
* `method`, the launch method for the sandboxed program, can be `"sudo"`, `"systemd"`, `"simple"`.
|
||||||
|
Loading…
Reference in New Issue
Block a user