fortify

command module

v0.2.4 Latest Latest Go to latest Published: Dec 18, 2024 License: MIT Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

git.ophivana.moe/security/fortify

README ¶

Fortify

Lets you run graphical applications as another user in a confined environment with a nice NixOS module to configure target users and provide launchers and desktop files for your privileged user.

Why would you want this?

It protects the desktop environment from applications.
It protects applications from each other.
It provides UID isolation on top of the standard application sandbox.

If you have a flakes-enabled nix environment, you can try out the tool by running:

nix run git+https://git.ophivana.moe/security/fortify -- help

Module usage

The NixOS module currently requires home-manager to function correctly.

Full module documentation can be found here.

To use the module, import it into your configuration with

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";

    fortify = {
      url = "git+https://git.ophivana.moe/security/fortify";

      # Optional but recommended to limit the size of your system closure.
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, fortify, ... }:
  {
    nixosConfigurations.fortify = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        fortify.nixosModules.fortify
      ];
    };
  };
}

This adds the environment.fortify option:

{ pkgs, ... }:

{
  environment.fortify = {
    enable = true;
    stateDir = "/var/lib/persist/module/fortify";
    users = {
      alice = 0;
      nixos = 10;
    };

    apps = [
      {
        name = "chromium";
        id = "org.chromium.Chromium";
        packages = [ pkgs.chromium ];
        userns = true;
        mapRealUid = true;
        dbus = {
          system = {
            filter = true;
            talk = [
              "org.bluez"
              "org.freedesktop.Avahi"
              "org.freedesktop.UPower"
            ];
          };
          session =
            f:
            f {
              talk = [
                "org.freedesktop.FileManager1"
                "org.freedesktop.Notifications"
                "org.freedesktop.ScreenSaver"
                "org.freedesktop.secrets"
                "org.kde.kwalletd5"
                "org.kde.kwalletd6"
              ];
              own = [
                "org.chromium.Chromium.*"
                "org.mpris.MediaPlayer2.org.chromium.Chromium.*"
                "org.mpris.MediaPlayer2.chromium.*"
              ];
              call = { };
              broadcast = { };
            };
        };
      }
      {
        name = "claws-mail";
        id = "org.claws_mail.Claws-Mail";
        packages = [ pkgs.claws-mail ];
        gpu = false;
        capability.pulse = false;
      }
      {
        name = "weechat";
        packages = [ pkgs.weechat ];
        capability = {
          wayland = false;
          x11 = false;
          dbus = true;
          pulse = false;
        };
      }
      {
        name = "discord";
        id = "dev.vencord.Vesktop";
        packages = [ pkgs.vesktop ];
        share = pkgs.vesktop;
        command = "vesktop --ozone-platform-hint=wayland";
        userns = true;
        mapRealUid = true;
        capability.x11 = true;
        dbus = {
          session =
            f:
            f {
              talk = [ "org.kde.StatusNotifierWatcher" ];
              own = [ ];
              call = { };
              broadcast = { };
            };
          system.filter = true;
        };
      }
      {
        name = "looking-glass-client";
        groups = [ "plugdev" ];
        extraPaths = [
          {
            src = "/dev/shm/looking-glass";
            write = true;
          }
        ];
        extraConfig = {
          programs.looking-glass-client.enable = true;
        };
      }
    ];
  };
}

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
acl Package acl implements simple ACL manipulation via libacl.	Package acl implements simple ACL manipulation via libacl.
cmd
finit
finit/ipc
fshim
fshim/ipc
fshim/ipc/shim
fsu
fuserdb
dbus Package dbus wraps xdg-dbus-proxy and implements configuration and sandboxing of the underlying helper process.	Package dbus wraps xdg-dbus-proxy and implements configuration and sandboxing of the underlying helper process.
fst Package fst exports shared fortify types.	Package fst exports shared fortify types.
helper Package helper runs external helpers with optional sandboxing and manages their status/args pipes.	Package helper runs external helpers with optional sandboxing and manages their status/args pipes.
bwrap
internal
app
fmsg Package fmsg provides various functions for output messages.	Package fmsg provides various functions for output messages.
linux
proc
state
system
ldd Package ldd retrieves linker information by invoking ldd from glibc or musl and parsing its output.	Package ldd retrieves linker information by invoking ldd from glibc or musl and parsing its output.
wl Package wl implements Wayland security_context_v1 protocol.	Package wl implements Wayland security_context_v1 protocol.
xcb Package xcb implements X11 ChangeHosts via libxcb.	Package xcb implements X11 ChangeHosts via libxcb.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL