security/hakurei
6
3
Fork 1
Code Issues 11 Pull Requests 1 Actions 1 Packages Projects Releases 13 Wiki Activity
Files
d49e6544826c533c395e6a1526d672e9ae93ef16
hakurei/README.md
Ophestra c620d88dce
All checks were successful
Test / Create distribution (push) Successful in 30s
Details
Test / ShareFS (push) Successful in 37s
Details
Test / Sandbox (push) Successful in 44s
Details
Test / Sandbox (race detector) (push) Successful in 43s
Details
Test / Hpkg (push) Successful in 45s
Details
Test / Hakurei (push) Successful in 50s
Details
Test / Hakurei (race detector) (push) Successful in 3m15s
Details
Test / Flake checks (push) Successful in 1m39s
Details
update README document 
Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-02-13 01:38:50 +09:00

65 lines
3.1 KiB
Markdown
Raw Blame History

<p align="center">
<a href="https://git.gensokyo.uk/security/hakurei">
<picture>
<img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
</picture>
</a>
</p>
<p align="center">
<a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
<a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
<br/>
<a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
<a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
<a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
</p>
Hakurei is a tool for running sandboxed desktop applications as dedicated
subordinate users on the Linux kernel. It implements the application container
of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
self-contained Android-like package manager with modern security features.
Interaction with hakurei happens entirely through structures described by
package [hst](https://pkg.go.dev/hakurei.app/hst). No native API is available
due to internal details of uid isolation.
## Notable Packages
Package [container](https://pkg.go.dev/hakurei.app/container) is general purpose
container tooling. It is used by the hakurei shim process running as the target
subordinate user to set up the application container. It has a single dependency,
[libseccomp](https://github.com/seccomp/libseccomp), to create BPF programs
for the [system call filter](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html).
Package [internal/pkg](https://pkg.go.dev/hakurei.app/internal/pkg) provides
infrastructure for hermetic builds. This replaces the legacy nix-based testing
framework and serves as the build system of Rosa OS, currently developed under
package [internal/rosa](https://pkg.go.dev/hakurei.app/internal/rosa).
## Dependencies
`container` depends on:
- [libseccomp](https://github.com/seccomp/libseccomp) to generate BPF programs.
`cmd/hakurei` depends on:
- [acl](https://savannah.nongnu.org/projects/acl/) to export sockets to
subordinate users.
- [wayland](https://gitlab.freedesktop.org/wayland/wayland) to set up
[security-context-v1](https://wayland.app/protocols/security-context-v1).
- [xcb](https://xcb.freedesktop.org/) to grant and revoke subordinate users
access to the X server.
`cmd/sharefs` depends on:
- [fuse](https://github.com/libfuse/libfuse) to implement the filesystem.
New dependencies will generally not be added. Patches adding new dependencies
are very likely to be rejected.
## NixOS Module (deprecated)
The NixOS module is in maintenance mode and will be removed once planterette is
feature-complete. Full module documentation can be found [here](options.md).
Reference in New Issue View Git Blame Copy Permalink