nix-config-ryan4yin/hardening

Linux Hardening

Work in progress.

Goal

• System Level: Protect critical files from being accessed by untrusted applications.
  1. Such as browser cookies, SSH keys, etc.
• Per-App Level: Prevent untrusted applications(such as closed-source apps) from:
  1. Accessing files they shouldn't.
     • Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
  2. Accessing the network when they don't need to.
  3. Accessing hardware devices they don't need.

Current Structure

1. System Level

• AppArmor (apparmor/): AppArmor profiles and configuration
• Kernel & System Hardening (profiles/): System-wide hardening profiles

2. Per-App Level

• Nixpak (nixpaks/): Bubblewrap-based sandboxing for applications
  • Firefox configuration
  • QQ (Chinese messaging app) configuration
  • Modular system with reusable components
• Firejail (legacy): SUID-based sandboxing (not used)
• Bubblewrap (bwraps/): Direct bubblewrap configurations
  • WeChat sandboxing configuration

Current Implementation Status

Component	Status	Notes
AppArmor Profiles	🚧 WIP	Basic structure in place
Nixpak Firefox	✅ Active	Firefox sandboxing via nixpak
Nixpak QQ	✅ Active	QQ application sandboxing
Bubblewrap WeChat	✅ Active	WeChat specific sandboxing
System Profiles	🚧 WIP	Hardened system configurations

Directory Structure

hardening/
├── README.md
├── apparmor/           # AppArmor security profiles
│   └── default.nix
├── bwraps/            # Direct bubblewrap configurations
│   ├── default.nix
│   └── wechat.nix
├── nixpaks/           # Nixpak application sandboxing
│   ├── default.nix
│   ├── firefox.nix
│   ├── qq.nix
│   └── modules/       # Reusable nixpak modules
│       ├── gui-base.nix
│       └── network.nix
└── profiles/          # System hardening profiles
    └── default.nix

Kernel Hardening

• NixOS Kernel Config: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/kernel/hardened/config.nix

System Hardening

• NixOS Profile: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix
• Apparmor: roddhjav/apparmor.d
  • https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
  • AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
  • But all the profiles of AppArmor assume a FHS filesystem, which caused all apparmor policies takes no effect on NixOS.
  • Apparmor on NixOS Roadmap:
    • https://discourse.nixos.org/t/apparmor-on-nixos-roadmap/57217
    • https://github.com/LordGrimmauld/aa-alias-manager
• SELinux: too complex, not recommended for personal use.

Application Sandboxing

• Bubblewrap: nixpak, more secure than firejail, but no batteries included.
  • NixOS's FHSEnv is implemented using bubblewrap by default.
• Firejail: A SUID security sandbox with hundreds of security profiles for many common applications in the default installation.
  • https://wiki.nixos.org/wiki/Firejail
  • Firejail needs SUID to work, which is considered a security risk - Does firejail improve the security of my system?
• Systemd/Hardening: Systemd also provides some sandboxing features.

NOTE

Running untrusted code is never safe, kernel hardening & sandboxing cannot change this.

If you want to run untrusted code, please use a VM & an isolated network environment, which will provide a much higher level of security.

References

• Harden your NixOS workstation - dataswamp
• Linux Insecurities - Madaidans
• Sandboxing all programs by default - NixOS Discourse
• Paranoid NixOS Setup - xeiaso
• nix-mineral: NixOS module for convenient system hardening.
• apparmor configs:
  • 4fe177f698/modules/nixos/security/apparmor.nix (L4)
  • https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening
• Others:
  • Directly via buildFHSUserEnvBubblewrap: