security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
hakurei.app/static/index.html
Ophestra bf8a0cfc8d
All checks were successful
Static / Flake checks (push) Successful in 21s
Details
Static / Create distribution (push) Successful in 47s
Details
static: remove source page 
There are not that many repositories so an index is not helpful.
2025-06-28 19:30:26 +09:00

121 lines
6.9 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" prefix="og: https://ogp.me/ns#">
<head>
<meta charset="utf-8"/>
<title>Hakurei: the secure desktop application sandbox</title>
<meta name="description" content="Hakurei is a security-focused Linux container runtime for desktop applications."/>
<meta name="theme-color" content="#212121"/>
<meta name="color-scheme" content="dark light"/>
<meta name="msapplication-TileColor" content="#ffffff"/>
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/>
<meta property="og:title" content="Hakurei: the secure desktop application sandbox"/>
<meta property="og:description" content="Hakurei is a security-focused Linux container runtime for desktop applications."/>
<meta property="og:type" content="website"/>
<meta property="og:image" content="https://hakurei.app/opengraph.png"/>
<meta property="og:image:width" content="512"/>
<meta property="og:image:height" content="512"/>
<meta property="og:image:alt" content="Hakurei logo"/>
<meta property="og:site_name" content="Hakurei"/>
<meta property="og:url" content="https://hakurei.app/"/>
<link rel="canonical" href="https://hakurei.app/"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="icon" sizes="any" type="image/svg+xml" href="/favicon.svg"/>
<link rel="mask-icon" href="[[path|/mask-icon.svg]]" color="#1a1a1a"/>
<link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
[[css|/main.css]]
<link rel="manifest" href="/manifest.webmanifest"/>
<link rel="license" href="/LICENSE.txt"/>
<link rel="me" href="https://port.mk/@hakurei"/>
[[js|/js/redirect.js]]
</head>
<body>
{% with current_page="/" %}
{% include "header.html" %}
{% endwith %}
<main class="normalize" id="hakurei">
<div class="content hero">
<div>
<h1><a href="#hakurei">Hakurei</a></h1>
<p>A security-focused Linux container runtime for desktop applications.
Developed as a non-profit open source project.</p>
<a class="button" href="/install/">Install Hakurei</a>
</div>
<figure class="device-img">
<img class="laptop-img" width="288" height="171" src="[[path|/laptop.svg]]" alt=""/>
<img class="laptop-logo-img" width="108" height="108" src="[[path|/mask-icon.svg]]" alt=""/>
</figure>
</div>
<div class="surface">
<div class="content break">
<p>Get to know Hakurei</p>
</div>
</div>
<div class="content">
<section id="about">
<h2 class="start"><a href="#about">About</a></h2>
<p>Hakurei is a security-focused Linux container runtime for running unmodified
desktop applications, developed as a non-profit <a
href="https://git.gensokyo.uk/security/hakurei" target="_blank">open source</a>
project. It also implements <a href="/package.html">planterette</a>, an
experimental self-contained Android-like package manager with modern security
features.</p>
<p>Security on the desktop has always left something to be desired. While <a
href="https://www.qubes-os.org" target="_blank">Qubes OS</a> provides excellent
security, its performance and usability limitations make it unsuitable for most
use cases. Hakurei attempts to fill that gap by running applications natively
while still establishing decent compartmentalisation enforced by the kernel.</p>
<p>Hakurei runs each container as a dedicated subordinate user and sets up the
container via unprivileged user namespaces as another layer of defense against
privilege escalation. Unprivileged user namespace creation is made unavailable
in containers by default to reduce attack surface, but can be optionally enabled
for applications with strong built-in sandboxes to avoid having to ruin their
sandbox.</p>
<p>Official releases are available via <a
href="https://git.gensokyo.uk/security/hakurei/releases" target="_blank">Gitea
</a> and documentation for the included NixOS module can be found
<a href="https://git.gensokyo.uk/security/hakurei/src/branch/master/options.md"
target="_blank">here</a>.</p>
</section>
<section id="compatibility">
<h2><a href="#compatibility">OS Compatibility</a></h2>
<p>Hakurei does not try to support every major Linux distribution and their
configuration of the kernel. Most Debian-based distributions disable
unprivileged user namespace creation by default, and while that could be a
good way to reduce attack surface, it also disables a layer of security
where the kernel enforces strict limits on user namespaces created by
an unprivileged user. Having to set up the sandbox as root also adds
significant complexity to the setuid wrapper.
The reduction of attack surface is also made irrelevant since hakurei can
disable unprivileged user namespace creation on a per-container basis.</p>
<p>Users on affected kernels can switch to an unmodified (and up to date) kernel
or enable unprivileged user namespace creation by setting the
<code>kernel.unprivileged_userns_clone</code> sysctl to 1.
Whether or not it increases attack surface is largely dependent on what runs
on the system; however, if all apps are spawned by Hakurei and the rest of the
system is sufficiently secured, enabling unprivileged user namespace creation
should not increase attack surface whatsoever.</p>
<p>While Hakurei is primarily developed on NixOS and relies on Nix for its
integration test suite, it does not target NixOS or make assumptions that are
only true on NixOS. Unfortunately, mistakes do happen semi-often as the
architecture of NixOS can often hide bugs and assumptions. Please <a
href="/contact.html">report</a> such anomalies if you encounter them.</p>
</section>
</div>
</main>
{% include "footer.html" %}
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink