diff --git a/README.md b/README.md index 0ac6e32..bb38478 100644 --- a/README.md +++ b/README.md @@ -15,164 +15,51 @@ Website

-Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel. -It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), -a self-contained Android-like package manager with modern security features. +Hakurei is a tool for running sandboxed desktop applications as dedicated +subordinate users on the Linux kernel. It implements the application container +of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a +self-contained Android-like package manager with modern security features. -## NixOS Module usage +Interaction with hakurei happens entirely through structures described by +package [hst](https://pkg.go.dev/hakurei.app/hst). No native API is available +due to internal details of uid isolation. -The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md). +## Notable Packages -To use the module, import it into your configuration with +Package [container](https://pkg.go.dev/hakurei.app/container) is general purpose +container tooling. It is used by the hakurei shim process running as the target +subordinate user to set up the application container. It has a single dependency, +[libseccomp](https://github.com/seccomp/libseccomp), to create BPF programs +for the [system call filter](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html). -```nix -{ - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; +Package [internal/pkg](https://pkg.go.dev/hakurei.app/internal/pkg) provides +infrastructure for hermetic builds. This replaces the legacy nix-based testing +framework and serves as the build system of Rosa OS, currently developed under +package [internal/rosa](https://pkg.go.dev/hakurei.app/internal/rosa). - hakurei = { - url = "git+https://git.gensokyo.uk/security/hakurei"; +## Dependencies - # Optional but recommended to limit the size of your system closure. - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; +`container` depends on: - outputs = { self, nixpkgs, hakurei, ... }: - { - nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - hakurei.nixosModules.hakurei - ]; - }; - }; -} -``` +- [libseccomp](https://github.com/seccomp/libseccomp) to generate BPF programs. -This adds the `environment.hakurei` option: +`cmd/hakurei` depends on: -```nix -{ pkgs, ... }: +- [acl](https://savannah.nongnu.org/projects/acl/) to export sockets to + subordinate users. +- [wayland](https://gitlab.freedesktop.org/wayland/wayland) to set up + [security-context-v1](https://wayland.app/protocols/security-context-v1). +- [xcb](https://xcb.freedesktop.org/) to grant and revoke subordinate users + access to the X server. -{ - environment.hakurei = { - enable = true; - stateDir = "/var/lib/hakurei"; - users = { - alice = 0; - nixos = 10; - }; +`cmd/sharefs` depends on: - commonPaths = [ - { - src = "/sdcard"; - write = true; - } - ]; +- [fuse](https://github.com/libfuse/libfuse) to implement the filesystem. - extraHomeConfig = { - home.stateVersion = "23.05"; - }; +New dependencies will generally not be added. Patches adding new dependencies +are very likely to be rejected. - apps = { - "org.chromium.Chromium" = { - name = "chromium"; - identity = 1; - packages = [ pkgs.chromium ]; - userns = true; - mapRealUid = true; - dbus = { - system = { - filter = true; - talk = [ - "org.bluez" - "org.freedesktop.Avahi" - "org.freedesktop.UPower" - ]; - }; - session = - f: - f { - talk = [ - "org.freedesktop.FileManager1" - "org.freedesktop.Notifications" - "org.freedesktop.ScreenSaver" - "org.freedesktop.secrets" - "org.kde.kwalletd5" - "org.kde.kwalletd6" - ]; - own = [ - "org.chromium.Chromium.*" - "org.mpris.MediaPlayer2.org.chromium.Chromium.*" - "org.mpris.MediaPlayer2.chromium.*" - ]; - call = { }; - broadcast = { }; - }; - }; - }; +## NixOS Module (deprecated) - "org.claws_mail.Claws-Mail" = { - name = "claws-mail"; - identity = 2; - packages = [ pkgs.claws-mail ]; - gpu = false; - capability.pulse = false; - }; - - "org.weechat" = { - name = "weechat"; - identity = 3; - shareUid = true; - packages = [ pkgs.weechat ]; - capability = { - wayland = false; - x11 = false; - dbus = true; - pulse = false; - }; - }; - - "dev.vencord.Vesktop" = { - name = "discord"; - identity = 3; - shareUid = true; - packages = [ pkgs.vesktop ]; - share = pkgs.vesktop; - command = "vesktop --ozone-platform-hint=wayland"; - userns = true; - mapRealUid = true; - capability.x11 = true; - dbus = { - session = - f: - f { - talk = [ "org.kde.StatusNotifierWatcher" ]; - own = [ ]; - call = { }; - broadcast = { }; - }; - system.filter = true; - }; - }; - - "io.looking-glass" = { - name = "looking-glass-client"; - identity = 4; - useCommonPaths = false; - groups = [ "plugdev" ]; - extraPaths = [ - { - src = "/dev/shm/looking-glass"; - write = true; - } - ]; - extraConfig = { - programs.looking-glass-client.enable = true; - }; - }; - }; - }; -} -``` +The NixOS module is in maintenance mode and will be removed once planterette is +feature-complete. Full module documentation can be found [here](options.md). \ No newline at end of file