security/hakurei
6
3
Fork 1
Code Issues 11 Pull Requests 1 Actions 1 Packages Projects Releases 13 Wiki Activity

update README document
All checks were successful
Test / Create distribution (push) Successful in 30s
Details
Test / ShareFS (push) Successful in 37s
Details
Test / Sandbox (push) Successful in 44s
Details
Test / Sandbox (race detector) (push) Successful in 43s
Details
Test / Hpkg (push) Successful in 45s
Details
Test / Hakurei (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 3m15s
Details
Test / Flake checks (push) Successful in 1m39s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra
2026-02-13 00:41:15 +09:00
parent 7cd14b8865
commit c620d88dce
1 changed files with 34 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
README.md
View File

@@ -15,164 +15,51 @@
<a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
</p>
Hakurei is a tool for running sandboxed graphical applications as dedicated subordinate users on the Linux kernel.
It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette),
a self-contained Android-like package manager with modern security features.
Hakurei is a tool for running sandboxed desktop applications as dedicated
subordinate users on the Linux kernel. It implements the application container
of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
self-contained Android-like package manager with modern security features.
## NixOS Module usage
Interaction with hakurei happens entirely through structures described by
package [hst](https://pkg.go.dev/hakurei.app/hst). No native API is available
due to internal details of uid isolation.
The NixOS module currently requires home-manager to configure subordinate users. Full module documentation can be found [here](options.md).
## Notable Packages
To use the module, import it into your configuration with
Package [container](https://pkg.go.dev/hakurei.app/container) is general purpose
container tooling. It is used by the hakurei shim process running as the target
subordinate user to set up the application container. It has a single dependency,
[libseccomp](https://github.com/seccomp/libseccomp), to create BPF programs
for the [system call filter](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html).
```nix
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
Package [internal/pkg](https://pkg.go.dev/hakurei.app/internal/pkg) provides
infrastructure for hermetic builds. This replaces the legacy nix-based testing
framework and serves as the build system of Rosa OS, currently developed under
package [internal/rosa](https://pkg.go.dev/hakurei.app/internal/rosa).
hakurei = {
url = "git+https://git.gensokyo.uk/security/hakurei";
## Dependencies
# Optional but recommended to limit the size of your system closure.
inputs.nixpkgs.follows = "nixpkgs";
};
};
`container` depends on:
outputs = { self, nixpkgs, hakurei, ... }:
{
nixosConfigurations.hakurei = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
hakurei.nixosModules.hakurei
];
};
};
}
```
- [libseccomp](https://github.com/seccomp/libseccomp) to generate BPF programs.
This adds the `environment.hakurei` option:
`cmd/hakurei` depends on:
```nix
{ pkgs, ... }:
- [acl](https://savannah.nongnu.org/projects/acl/) to export sockets to
subordinate users.
- [wayland](https://gitlab.freedesktop.org/wayland/wayland) to set up
[security-context-v1](https://wayland.app/protocols/security-context-v1).
- [xcb](https://xcb.freedesktop.org/) to grant and revoke subordinate users
access to the X server.
{
environment.hakurei = {
enable = true;
stateDir = "/var/lib/hakurei";
users = {
alice = 0;
nixos = 10;
};
`cmd/sharefs` depends on:
commonPaths = [
{
src = "/sdcard";
write = true;
}
];
- [fuse](https://github.com/libfuse/libfuse) to implement the filesystem.
extraHomeConfig = {
home.stateVersion = "23.05";
};
New dependencies will generally not be added. Patches adding new dependencies
are very likely to be rejected.
apps = {
"org.chromium.Chromium" = {
name = "chromium";
identity = 1;
packages = [ pkgs.chromium ];
userns = true;
mapRealUid = true;
dbus = {
system = {
filter = true;
talk = [
"org.bluez"
"org.freedesktop.Avahi"
"org.freedesktop.UPower"
];
};
session =
f:
f {
talk = [
"org.freedesktop.FileManager1"
"org.freedesktop.Notifications"
"org.freedesktop.ScreenSaver"
"org.freedesktop.secrets"
"org.kde.kwalletd5"
"org.kde.kwalletd6"
];
own = [
"org.chromium.Chromium.*"
"org.mpris.MediaPlayer2.org.chromium.Chromium.*"
"org.mpris.MediaPlayer2.chromium.*"
];
call = { };
broadcast = { };
};
};
};
## NixOS Module (deprecated)
"org.claws_mail.Claws-Mail" = {
name = "claws-mail";
identity = 2;
packages = [ pkgs.claws-mail ];
gpu = false;
capability.pulse = false;
};
"org.weechat" = {
name = "weechat";
identity = 3;
shareUid = true;
packages = [ pkgs.weechat ];
capability = {
wayland = false;
x11 = false;
dbus = true;
pulse = false;
};
};
"dev.vencord.Vesktop" = {
name = "discord";
identity = 3;
shareUid = true;
packages = [ pkgs.vesktop ];
share = pkgs.vesktop;
command = "vesktop --ozone-platform-hint=wayland";
userns = true;
mapRealUid = true;
capability.x11 = true;
dbus = {
session =
f:
f {
talk = [ "org.kde.StatusNotifierWatcher" ];
own = [ ];
call = { };
broadcast = { };
};
system.filter = true;
};
};
"io.looking-glass" = {
name = "looking-glass-client";
identity = 4;
useCommonPaths = false;
groups = [ "plugdev" ];
extraPaths = [
{
src = "/dev/shm/looking-glass";
write = true;
}
];
extraConfig = {
programs.looking-glass-client.enable = true;
};
};
};
};
}
```
The NixOS module is in maintenance mode and will be removed once planterette is
feature-complete. Full module documentation can be found [here](options.md).