chore: remove firejail

2026-04-25 09:28:27 +02:00 · 2025-06-19 20:01:20 +08:00
parent 8584c3c98b
commit c8a714a05e
3 changed files with 4 additions and 110 deletions
--- a/hardening/README.md
+++ b/hardening/README.md
@@ -7,10 +7,10 @@
 - **System Level**: Protect critical files from being accessed by untrusted applications.
  1. Such as browser cookies, SSH keys, etc.
 - **Per-App Level**: Prevent untrusted applications(such as closed-source apps) from:
-  1.  Accessing files they shouldn't.
+  1. Accessing files they shouldn't.
-      - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
+     - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
-  1.  Accessing the network when they don't need to.
+  1. Accessing the network when they don't need to.
-  1.  Accessing hardware devices they don't need.
+  1. Accessing hardware devices they don't need.
 ## Current Status
--- a/hardening/firejail/default.nix
+++ b/hardening/firejail/default.nix
@@ -1,71 +0,0 @@
 {pkgs, ...}: let
  firejailWrapper = import ./firejailWrapper.nix pkgs;
 in {
  programs.firejail.enable = true;
  # Add firejailed Apps into nixsuper, and reference them in home-manager or other nixos modules
  nixpkgs.overlays = [
    (_: super: {
      firejailed = {
        steam = firejailWrapper {
          name = "steam-firejailed";
          executable = "${super.steam}/bin/steam";
          profile = "${super.firejail}/etc/firejail/steam.profile";
        };
        steam-run = firejailWrapper {
          name = "steam-run-firejailed";
          executable = "${super.steam}/bin/steam-run";
          profile = "${super.firejail}/etc/firejail/steam.profile";
        };
        # firefox = firejailWrapper {
        #   name = "firefox-firejailed";
        #   executable = "${super.lib.getBin super.firefox-wayland}/bin/firefox";
        #   profile = "${super.firejail}/etc/firejail/firefox.profile";
        # };
        # chromium = firejailWrapper {
        #   name = "chromium-firejailed";
        #   executable = "${super.lib.getBin super.ungoogled-chromium}/bin/chromium";
        #   profile = "${super.firejail}/etc/firejail/chromium.profile";
        # };
        mpv = firejailWrapper {
          executable = "${super.lib.getBin super.mpv}/bin/mpv";
          profile = "${super.firejail}/etc/firejail/mpv.profile";
        };
        imv = firejailWrapper {
          executable = "${super.lib.getBin super.imv}/bin/imv";
          profile = "${super.firejail}/etc/firejail/imv.profile";
        };
        zathura = firejailWrapper {
          executable = "${super.lib.getBin super.zathura}/bin/zathura";
          profile = "${super.firejail}/etc/firejail/zathura.profile";
        };
        slack = firejailWrapper {
          executable = "${super.lib.getBin super.slack}/bin/slack";
          profile = "${super.firejail}/etc/firejail/slack.profile";
        };
        telegram-desktop = firejailWrapper {
          executable = "${super.lib.getBin super.tdesktop}/bin/telegram-desktop";
          profile = "${super.firejail}/etc/firejail/telegram-desktop.profile";
        };
        brave = firejailWrapper {
          executable = "${super.lib.getBin super.brave}/bin/brave";
          profile = "${super.firejail}/etc/firejail/brave.profile";
        };
        qutebrowser = firejailWrapper {
          executable = "${super.lib.getBin super.qutebrowser}/bin/qutebrowser";
          profile = "${super.firejail}/etc/firejail/qutebrowser.profile";
        };
        thunar = firejailWrapper {
          executable = "${super.lib.getBin super.xfce.thunar}/bin/thunar";
          profile = "${super.firejail}/etc/firejail/thunar.profile";
        };
        vscodium = firejailWrapper {
          executable = "${super.lib.getBin super.vscodium}/bin/vscodium";
          profile = "${super.firejail}/etc/firejail/vscodium.profile";
        };
      };
    })
  ];
 }
--- a/hardening/firejail/firejailWrapper.nix
+++ b/hardening/firejail/firejailWrapper.nix
@@ -1,35 +0,0 @@
 # https://www.reddit.com/r/NixOS/comments/1b56jdx/simple_nix_function_for_wrapping_executables_with/
 pkgs: {
  name ? "firejail-wrapper",
  executable,
  desktop ? null,
  profile ? null,
  extraArgs ? [],
 }:
 pkgs.runCommand name
 {
  preferLocalBuild = true;
  allowSubstitutes = false;
  meta.priority = -1; # take precedence over non-firejailed versions
 }
 (
  let
    firejailArgs = pkgs.lib.concatStringsSep " " (
      extraArgs ++ (pkgs.lib.optional (profile != null) "--profile=${toString profile}")
    );
  in
    ''
      command_path="$out/bin/$(basename ${executable})-jailed"
      mkdir -p $out/bin
      mkdir -p $out/share/applications
      cat <<'_EOF' >"$command_path"
      #! ${pkgs.runtimeShell} -e
      exec /run/wrappers/bin/firejail ${firejailArgs} -- ${toString executable} "\$@"
      _EOF
      chmod 0755 "$command_path"
    ''
    + pkgs.lib.optionalString (desktop != null) ''
      substitute ${desktop} $out/share/applications/$(basename ${desktop}) \
        --replace ${executable} "$command_path"
    ''
 )