security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

static: replace index.html
All checks were successful
Static / Flake checks (push) Successful in 21s
Details
Static / Create distribution (push) Successful in 47s
Details

Browse Source
This commit is contained in:
Ophestra 2025-06-28 14:14:19 +09:00
parent 2f45a8aad6
commit 8275ff0d22
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
1 changed files with 59 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
static/index.html
View File

@ -2,24 +2,22 @@
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>GrapheneOS: the private and secure mobile OS</title>
<meta name="description" content="GrapheneOS is a security and privacy focused mobile OS with Android app compatibility."/>
<title>Hakurei: the secure desktop application sandbox</title>
<meta name="description" content="Hakurei is a security-focused Linux container runtime for desktop applications."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta name="twitter:site" content="@GrapheneOS"/>
<meta name="twitter:creator" content="@GrapheneOS"/>
<meta property="og:title" content="GrapheneOS: the private and secure mobile OS"/>
<meta property="og:description" content="GrapheneOS is a security and privacy focused mobile OS with Android app compatibility."/>
<meta property="og:title" content="Hakurei: the secure desktop application sandbox"/>
<meta property="og:description" content="Hakurei is a security-focused Linux container runtime for desktop applications."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://grapheneos.org/opengraph.png"/>
<meta property="og:image" content="https://hakurei.app/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="GrapheneOS logo"/>
<meta property="og:site_name" content="GrapheneOS"/>
<meta property="og:url" content="https://grapheneos.org/"/>
<link rel="canonical" href="https://grapheneos.org/"/>
<meta property="og:image:alt" content="Hakurei logo"/>
<meta property="og:site_name" content="Hakurei"/>
<meta property="og:url" content="https://hakurei.app/"/>
<link rel="canonical" href="https://hakurei.app/"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
@ -27,21 +25,21 @@
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://grapheneos.social/@GrapheneOS"/>
<link rel="me" href="https://port.mk/@hakurei"/>
[[js|/js/redirect.js]]
</head>
<body>
{% with current_page="/" %}
{% include "header.html" %}
{% endwith %}
<main class="normalize" id="grapheneos">
<main class="normalize" id="hakurei">
<div class="content hero">
<div>
<h1><a href="#grapheneos">GrapheneOS</a></h1>
<p>The private and secure mobile operating system with Android app compatibility.
<h1><a href="#hakurei">Hakurei</a></h1>
<p>A security-focused Linux container runtime for desktop applications.
Developed as a non-profit open source project.</p>
<a class="button" href="/install/">Install GrapheneOS</a>
<a class="button" href="/install/">Install Hakurei</a>
</div>
<figure class="device-img">
@ -53,7 +51,7 @@
<div class="surface">
<div class="content break">
<p>Get to know GrapheneOS</p>
<p>Get to know Hakurei</p>
</div>
</div>
@ -61,63 +59,58 @@
<section id="about">
<h2 class="start"><a href="#about">About</a></h2>
<p>GrapheneOS is a privacy and security focused mobile OS with Android app
compatibility developed as a non-profit <a href="/source">open source</a>
project. It's focused on the research and development of privacy and security
technology including substantial improvements to sandboxing, exploit
mitigations and the permission model. It was founded in 2014 and was
<a href="/history/copperheados">formerly known as CopperheadOS</a>.</p>
<p>Hakurei is a security-focused Linux container runtime for running unmodified
desktop applications, developed as a non-profit <a href="/source.html">open source
</a> project. It also implements <a href="/package.html">planterette</a>, an
experimental self-contained Android-like package manager with modern security
features.</p>
<p>GrapheneOS improves the privacy and security of the OS from the bottom up.
It deploys technologies to mitigate whole classes of vulnerabilities and make
exploiting the most common sources of vulnerabilities substantially more
difficult. It improves the security of both the OS and the apps running on it.
The app sandbox and other security boundaries are fortified. GrapheneOS tries
to avoid impacting the user experience with the privacy and security features.
Ideally, the features can be designed so that they're always enabled with no
impact on the user experience and no additional complexity like configuration
options. It's not always feasible, and GrapheneOS does add various toggles for
features like the Network permission, Sensors permission, restrictions when
the device is locked (USB-C / pogo pins, camera, quick tiles), etc. along with
more complex user-facing privacy and security features with their own UX.</p>
<p>Security on the desktop has always left something to be desired. While <a
href="https://www.qubes-os.org" target="_blank">Qubes OS</a> provides excellent
security, its performance and usability limitations make it unsuitable for most
use cases. Hakurei attempts to fill that gap by running applications natively
while still establishing decent compartmentalisation enforced by the kernel.</p>
<p>The <a href="/features">features page</a> provides an overview of the
substantial privacy and security improvements added by GrapheneOS to the
Android Open Source Project (AOSP). Many of our past features were <a
href="/faq#upstream">contributed to AOSP, Linux and other projects to improve
privacy and security for billions of users</a> so they're no longer listed on
our features page.</p>
<p>Hakurei runs each container as a dedicated subordinate user and sets up the
container via unprivileged user namespaces as another layer of defense against
privilege escalation. Unprivileged user namespace creation is made unavailable
in containers by default to reduce attack surface, but can be optionally enabled
for applications with strong built-in sandboxes to avoid having to ruin their
sandbox.</p>
<p>Official releases are available on the <a href="/releases">releases
page</a> and installation instructions are on the <a href="/install/">install
page</a>.</p>
<p>GrapheneOS also develops various apps and services with a focus on privacy
and security. Vanadium is a hardened variant of the Chromium browser and
WebView specifically built for GrapheneOS. GrapheneOS also includes our
minimal security-focused PDF Viewer, our hardware-based Auditor app /
attestation service providing local and remote verification of devices,
our modern privacy / security focused camera app, and the externally developed
Seedvault encrypted backup which was initially developed for inclusion in
GrapheneOS.</p>
<p>Official releases are available via <a
href="https://git.gensokyo.uk/security/hakurei/releases" target="_blank">Gitea
</a> and documentation for the included NixOS module can be found
<a href="https://git.gensokyo.uk/security/hakurei/src/branch/master/options.md"
target="_blank">here</a>.</p>
</section>
<section id="never-google-services">
<h2><a href="#never-google-services">No Google apps or services</a></h2>
<section id="compatibility">
<h2><a href="#compatibility">OS Compatibility</a></h2>
<p>GrapheneOS will never include either Google Play services or another
implementation of Google services like microG. It's possible to install Play
services as a set of fully sandboxed apps without special privileges via our
<a href="/usage#sandboxed-google-play">sandboxed Google Play compatibility
layer</a>. See <a href="/faq#google-services">the FAQ section</a> for more
details on our plans for filling in the gaps from not shipping Play services
and Google apps.</p>
</section>
<p>Hakurei does not try to support every major Linux distribution and their
configuration of the kernel. Most Debian-based distributions disable
unprivileged user namespace creation by default, and while that could be a
good way to reduce attack surface, it also disables a layer of security
where the kernel enforces strict limits on user namespaces created by
an unprivileged user. Having to set up the sandbox as root also adds
significant complexity to the setuid wrapper.
The reduction of attack surface is also made irrelevant since hakurei can
disable unprivileged user namespace creation on a per-container basis.</p>
<section id="device-support">
<h2><a href="/faq#device-support">Device support</a></h2>
<p>Users on affected kernels can switch to an unmodified (and up to date) kernel
or enable unprivileged user namespace creation by setting the
<code>kernel.unprivileged_userns_clone</code> sysctl to 1.
Whether or not it increases attack surface is largely dependent on what runs
on the system, however if all apps are spawned by Hakurei and the rest of the
system is sufficiently secured, enabling unprivileged user namespace creation
should not increase attack surface whatsoever.</p>
<p class="end">See <a href="/faq#device-support">the FAQ section on device support</a>.</p>
<p>While Hakurei is primarily developed on NixOS and relies on Nix for its
integration test suite, it does not target NixOS or make assumptions that are
only true on NixOS. Unfortunately, mistakes do happen semi-often as the
architecture of NixOS can often hide bugs and assumptions. Please <a
href="/contact.html">report</a> such anomalies if you encounter them.</p>
</section>
</div>
</main>