Yukari

Go Reference Gitea Workflow Status
Release Go Report Card Website

Hakurei is a tool for running sandboxed desktop applications as dedicated subordinate users on the Linux kernel. It implements the application container of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a self-contained Android-like package manager with modern security features. Interaction with hakurei happens entirely through structures described by package [hst](https://pkg.go.dev/hakurei.app/hst). No native API is available due to internal details of uid isolation. ## Notable Packages Package [container](https://pkg.go.dev/hakurei.app/container) is general purpose container tooling. It is used by the hakurei shim process running as the target subordinate user to set up the application container. It has a single dependency, [libseccomp](https://github.com/seccomp/libseccomp), to create BPF programs for the [system call filter](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html). Package [internal/pkg](https://pkg.go.dev/hakurei.app/internal/pkg) provides infrastructure for hermetic builds. This replaces the legacy nix-based testing framework and serves as the build system of Rosa OS, currently developed under package [internal/rosa](https://pkg.go.dev/hakurei.app/internal/rosa). ## Dependencies `container` depends on: - [libseccomp](https://github.com/seccomp/libseccomp) to generate BPF programs. `cmd/hakurei` depends on: - [acl](https://savannah.nongnu.org/projects/acl/) to export sockets to subordinate users. - [wayland](https://gitlab.freedesktop.org/wayland/wayland) to set up [security-context-v1](https://wayland.app/protocols/security-context-v1). - [xcb](https://xcb.freedesktop.org/) to grant and revoke subordinate users access to the X server. `cmd/sharefs` depends on: - [fuse](https://github.com/libfuse/libfuse) to implement the filesystem. New dependencies will generally not be added. Patches adding new dependencies are very likely to be rejected. ## NixOS Module (deprecated) The NixOS module is in maintenance mode and will be removed once planterette is feature-complete. Full module documentation can be found [here](options.md).