chore: remove firejail

2026-01-11 22:30:25 +01:00 · 2025-06-19 20:01:20 +08:00
parent 8584c3c98b
commit c8a714a05e
3 changed files with 4 additions and 110 deletions
--- a/hardening/README.md
+++ b/hardening/README.md
@@ -7,10 +7,10 @@
 - **System Level**: Protect critical files from being accessed by untrusted applications.
  1. Such as browser cookies, SSH keys, etc.
 - **Per-App Level**: Prevent untrusted applications(such as closed-source apps) from:
-  1.  Accessing files they shouldn't.
-      - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
-  1.  Accessing the network when they don't need to.
-  1.  Accessing hardware devices they don't need.
+  1. Accessing files they shouldn't.
+     - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
+  1. Accessing the network when they don't need to.
+  1. Accessing hardware devices they don't need.

 ## Current Status

--- a/hardening/firejail/default.nix
+++ b/hardening/firejail/default.nix
@@ -1,71 +0,0 @@
-{pkgs, ...}: let
-  firejailWrapper = import ./firejailWrapper.nix pkgs;
-in {
-  programs.firejail.enable = true;
-
-  # Add firejailed Apps into nixsuper, and reference them in home-manager or other nixos modules
-  nixpkgs.overlays = [
-    (_: super: {
-      firejailed = {
-        steam = firejailWrapper {
-          name = "steam-firejailed";
-          executable = "${super.steam}/bin/steam";
-          profile = "${super.firejail}/etc/firejail/steam.profile";
-        };
-        steam-run = firejailWrapper {
-          name = "steam-run-firejailed";
-          executable = "${super.steam}/bin/steam-run";
-          profile = "${super.firejail}/etc/firejail/steam.profile";
-        };
-
-        # firefox = firejailWrapper {
-        #   name = "firefox-firejailed";
-        #   executable = "${super.lib.getBin super.firefox-wayland}/bin/firefox";
-        #   profile = "${super.firejail}/etc/firejail/firefox.profile";
-        # };
-        # chromium = firejailWrapper {
-        #   name = "chromium-firejailed";
-        #   executable = "${super.lib.getBin super.ungoogled-chromium}/bin/chromium";
-        #   profile = "${super.firejail}/etc/firejail/chromium.profile";
-        # };
-
-        mpv = firejailWrapper {
-          executable = "${super.lib.getBin super.mpv}/bin/mpv";
-          profile = "${super.firejail}/etc/firejail/mpv.profile";
-        };
-        imv = firejailWrapper {
-          executable = "${super.lib.getBin super.imv}/bin/imv";
-          profile = "${super.firejail}/etc/firejail/imv.profile";
-        };
-        zathura = firejailWrapper {
-          executable = "${super.lib.getBin super.zathura}/bin/zathura";
-          profile = "${super.firejail}/etc/firejail/zathura.profile";
-        };
-        slack = firejailWrapper {
-          executable = "${super.lib.getBin super.slack}/bin/slack";
-          profile = "${super.firejail}/etc/firejail/slack.profile";
-        };
-        telegram-desktop = firejailWrapper {
-          executable = "${super.lib.getBin super.tdesktop}/bin/telegram-desktop";
-          profile = "${super.firejail}/etc/firejail/telegram-desktop.profile";
-        };
-        brave = firejailWrapper {
-          executable = "${super.lib.getBin super.brave}/bin/brave";
-          profile = "${super.firejail}/etc/firejail/brave.profile";
-        };
-        qutebrowser = firejailWrapper {
-          executable = "${super.lib.getBin super.qutebrowser}/bin/qutebrowser";
-          profile = "${super.firejail}/etc/firejail/qutebrowser.profile";
-        };
-        thunar = firejailWrapper {
-          executable = "${super.lib.getBin super.xfce.thunar}/bin/thunar";
-          profile = "${super.firejail}/etc/firejail/thunar.profile";
-        };
-        vscodium = firejailWrapper {
-          executable = "${super.lib.getBin super.vscodium}/bin/vscodium";
-          profile = "${super.firejail}/etc/firejail/vscodium.profile";
-        };
-      };
-    })
-  ];
-}
--- a/hardening/firejail/firejailWrapper.nix
+++ b/hardening/firejail/firejailWrapper.nix
@@ -1,35 +0,0 @@
-# https://www.reddit.com/r/NixOS/comments/1b56jdx/simple_nix_function_for_wrapping_executables_with/
-pkgs: {
-  name ? "firejail-wrapper",
-  executable,
-  desktop ? null,
-  profile ? null,
-  extraArgs ? [],
-}:
-pkgs.runCommand name
-{
-  preferLocalBuild = true;
-  allowSubstitutes = false;
-  meta.priority = -1; # take precedence over non-firejailed versions
-}
-(
-  let
-    firejailArgs = pkgs.lib.concatStringsSep " " (
-      extraArgs ++ (pkgs.lib.optional (profile != null) "--profile=${toString profile}")
-    );
-  in
-    ''
-      command_path="$out/bin/$(basename ${executable})-jailed"
-      mkdir -p $out/bin
-      mkdir -p $out/share/applications
-      cat <<'_EOF' >"$command_path"
-      #! ${pkgs.runtimeShell} -e
-      exec /run/wrappers/bin/firejail ${firejailArgs} -- ${toString executable} "\$@"
-      _EOF
-      chmod 0755 "$command_path"
-    ''
-    + pkgs.lib.optionalString (desktop != null) ''
-      substitute ${desktop} $out/share/applications/$(basename ${desktop}) \
-        --replace ${executable} "$command_path"
-    ''
-)