feat: add sandboxed wechat (#196)

hardening/README.md

@@ -81,4 +81,3 @@ provide a much higher level of security.
   - https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening
 - Others:
   - Directly via `buildFHSUserEnvBubblewrap`:
-    https://github.com/xddxdd/nur-packages/blob/master/pkgs/uncategorized/wechat-uos/default.nix

hardening/bwraps/default.nix

@@ -0,0 +1,9 @@
+{
+  nixpkgs.overlays = [
+    (_: super: {
+      bwraps = {
+        wechat = super.callPackage ./wechat.nix {};
+      };
+    })
+  ];
+}

hardening/bwraps/wechat.nix

@@ -0,0 +1,78 @@
+# - wechat's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml
+# Refer:
+# - Flatpak manifest's docs:
+#   - https://docs.flatpak.org/en/latest/manifests.html
+#   - https://docs.flatpak.org/en/latest/sandbox-permissions.html
+#
+# TODO Since appimageTools.wrapAppImage do not support overriding, I have to pack this package myself.
+# https://github.com/NixOS/nixpkgs/pull/358977
+{
+  appimageTools,
+  fetchurl,
+}: let
+  pname = "wechat";
+  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat/package.nix
+  version = "4.0.1.11";
+  src = fetchurl {
+    url = "https://web.archive.org/web/20250512110825if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage";
+    hash = "sha256-gBWcNQ1o1AZfNsmu1Vi1Kilqv3YbR+wqOod4XYAeVKo=";
+  };
+  # https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/we/wechat/linux.nix
+  appimageContents = appimageTools.extract {
+    inherit pname version src;
+    postExtract = ''
+      patchelf --replace-needed libtiff.so.5 libtiff.so $out/opt/wechat/wechat
+    '';
+  };
+in
+  appimageTools.wrapAppImage {
+    inherit pname version;
+
+    src = appimageContents;
+
+    extraInstallCommands = ''
+      mkdir -p $out/share/applications
+      cp ${appimageContents}/wechat.desktop $out/share/applications/
+      mkdir -p $out/share/pixmaps
+      cp ${appimageContents}/wechat.png $out/share/pixmaps/
+
+      substituteInPlace $out/share/applications/wechat.desktop --replace-fail AppRun wechat
+    '';
+
+    # Add these root paths to FHS sandbox to prevent WeChat from accessing them by default
+    # Adapted from https://aur.archlinux.org/cgit/aur.git/tree/wechat-universal.sh?h=wechat-universal-bwrap
+    extraPreBwrapCmds = ''
+      XDG_DOCUMENTS_DIR="''${XDG_DOCUMENTS_DIR:-$(xdg-user-dir DOCUMENTS)}"
+      if [[ -z "''${XDG_DOCUMENTS_DIR}" ]]; then
+          echo 'Error: Failed to get XDG_DOCUMENTS_DIR, refuse to continue'
+          exit 1
+      fi
+
+      WECHAT_DATA_DIR="''${XDG_DOCUMENTS_DIR}/WeChat_Data"
+
+      # Using ''${WECHAT_DATA_DIR} as Wechat Data folder
+      WECHAT_HOME_DIR="''${WECHAT_DATA_DIR}/home"
+      WECHAT_FILES_DIR="''${WECHAT_DATA_DIR}/xwechat_files"
+
+      mkdir -p "''${WECHAT_FILES_DIR}"
+      mkdir -p "''${WECHAT_HOME_DIR}"
+      ln -snf "''${WECHAT_FILES_DIR}" "''${WECHAT_HOME_DIR}/xwechat_files"
+    '';
+    extraBwrapArgs = [
+      "--tmpfs /home"
+      "--tmpfs /root"
+      # format: --bind <host-path> <sandbox-path>
+      "--bind \${WECHAT_HOME_DIR} \${HOME}"
+      "--bind \${WECHAT_FILES_DIR} \${WECHAT_FILES_DIR}"
+      "--chdir \${HOME}"
+      "--setenv QT_QPA_PLATFORM wayland"
+      "--setenv QT_AUTO_SCREEN_SCALE_FACTOR 1"
+    ];
+    chdirToPwd = false;
+    unshareNet = false;
+    unshareIpc = true;
+    unsharePid = true;
+    unshareUts = true;
+    unshareCgroup = true;
+    privateTmp = true;
+  }

hardening/nixpaks/default.nix

@@ -22,8 +22,8 @@ in {
         qq = wrapper super ./qq.nix;
         qq-desktop-item = super.callPackage ./qq-desktop-item.nix {};
 
-        wechat-uos = wrapper super ./wechat-uos.nix;
-        wechat-uos-desktop-item = super.callPackage ./wechat-uos-desktop-item.nix {};
+        wechat = wrapper super ./wechat.nix;
+        wechat-desktop-item = super.callPackage ./wechat-desktop-item.nix {};
 
         firefox = wrapper super ./firefox.nix;
         firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {};

hardening/nixpaks/firefox.nix

@@ -60,7 +60,6 @@ mkNixPak {
         sloth.xdgVideosDir
       ];
       bind.ro = [
-        # To actually make Firefox run
         "/sys/bus/pci"
         ["${config.app.package}/lib/firefox" "/app/etc/firefox"]
 

hardening/nixpaks/qq-desktop-item.nix

@@ -5,7 +5,7 @@
 makeDesktopItem {
   name = "qq";
   desktopName = "QQ";
-  exec = "qq %U";
+  exec = "${qq}/bin/qq %U";
   terminal = false;
   # To find the icon name(nushell):
   #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#qq.outPath | str trim --char '"'

hardening/nixpaks/wechat-uos-desktop-item.nix

@@ -1,17 +0,0 @@
-{
-  makeDesktopItem,
-  wechat-uos,
-}:
-makeDesktopItem {
-  name = "wechat";
-  desktopName = "WeChat";
-  exec = "wechat-uos %U";
-  terminal = false;
-  # To find the icon name(nushell):
-  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#wechat-uos.outPath | str trim --char '"'
-  #   tree $"($p)/share/icons"
-  icon = "${wechat-uos}/share/icons/hicolor/256x256/apps/com.tencent.wechat.png";
-  type = "Application";
-  categories = ["Network"];
-  comment = "Wechat boxed";
-}

hardening/nixpaks/wechat-uos.nix

@@ -1,69 +0,0 @@
-# TODO: wechat-uos is running in FHS sandbox by default, it's problematic
-#   to wrap it again via flatpak. We need to find a way to fix it.
-#   https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat-uos/package.nix
-# Refer:
-# - Flatpak manifest's docs:
-#   - https://docs.flatpak.org/en/latest/manifests.html
-#   - https://docs.flatpak.org/en/latest/sandbox-permissions.html
-# - wechat-uos's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml
-{
-  lib,
-  pkgs,
-  mkNixPak,
-  ...
-}:
-mkNixPak {
-  config = {sloth, ...}: {
-    app = {
-      package = pkgs.wechat-uos;
-      binPath = "bin/wechat-uos";
-    };
-    flatpak.appId = "com.tencent.WeChat";
-
-    imports = [
-      ./modules/gui-base.nix
-      ./modules/network.nix
-    ];
-
-    # list all dbus services:
-    #   ls -al /run/current-system/sw/share/dbus-1/services/
-    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
-    dbus.policies = {
-      "org.gnome.Shell.Screencast" = "talk";
-      # System tray icon
-      "org.freedesktop.Notifications" = "talk";
-      "org.kde.StatusNotifierWatcher" = "talk";
-      # File Manager
-      "org.freedesktop.FileManager1" = "talk";
-      # Uses legacy StatusNotifier implementation
-      "org.kde.*" = "own";
-    };
-    bubblewrap = {
-      # To trace all the home files QQ accesses, you can use the following nushell command:
-      #   just trace-access wechat-uos
-      # See the Justfile in the root of this repository for more information.
-      bind.rw = [
-        # given the read write permission to the following directories.
-        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-        (sloth.mkdir (sloth.concat [sloth.homeDir "/.xwechat"]))
-
-        sloth.xdgDocumentsDir
-        sloth.xdgDownloadDir
-        sloth.xdgMusicDir
-        sloth.xdgVideosDir
-      ];
-      sockets = {
-        x11 = false;
-        wayland = true;
-        pipewire = true;
-      };
-
-      env = {
-        # Hidpi scale
-        "QT_AUTO_SCREEN_SCALE_FACTOR" = "1";
-        # Only supports xcb
-        "QT_QPA_PLATFORM" = "kcb";
-      };
-    };
-  };
-}

home/linux/gui/base/misc.nix

@@ -21,7 +21,7 @@
     pkgs.nixpaks.qq
     pkgs.nixpaks.qq-desktop-item
     # qqmusic
-    # wechat-uos
+    pkgs.bwraps.wechat
   ];
 
   # allow fontconfig to discover fonts and configurations installed through home.packages

hosts/idols-ai/preservation.nix

@@ -232,7 +232,6 @@ in {
         # Instant Messaging
         # ======================================
         ".config/QQ"
-        ".xwechat"
 
         ".local/share/TelegramDesktop"
 

outputs/x86_64-linux/src/idols-ai.nix

@@ -22,7 +22,7 @@
       # nixos hardening
       # "hardening/profiles/default.nix"
       "hardening/nixpaks"
-      # "hardening/apparmor"
+      "hardening/bwraps"
     ];
     home-modules = map mylib.relativeToRoot [
       # common