mirror of
https://github.com/ryan4yin/nix-config.git
synced 2026-06-11 00:52:43 +02:00
Ryan Yin
af0ef6d154
Flake lock file updates:
• Updated input 'nixpkgs-patched':
'github:ryan4yin/nixpkgs/d373b16187b32770d99f6ff54a133d9543e68702?narHash=sha256-75W3YfzkkKvpE3/wtHMihlT9kOnQZxWpLoshw1xu0T8%3D' (2026-03-20)
→ 'github:ryan4yin/nixpkgs/4425024452e93ce3d10e11bcd9b47f1dfa78593b?narHash=sha256-pu3loLm4gvcbh8iibeYDGgPHOVFXb8sAKEzJ9AxX5L4%3D' (2026-06-03)
fix: qq
Linux Hardening
Work in progress.
Goal
- System Level: Protect critical files from being accessed by untrusted applications.
- Such as browser cookies, SSH keys, etc.
- Per-App Level: Prevent untrusted applications(such as closed-source apps) from:
- Accessing files they shouldn't.
- Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
- Accessing the network when they don't need to.
- Accessing hardware devices they don't need.
- Accessing files they shouldn't.
Current Structure
1. System Level
- AppArmor (
apparmor/): AppArmor profiles and configuration - Kernel & System Hardening (
profiles/): System-wide hardening profiles
2. Per-App Level
- Nixpak (
nixpaks/): Bubblewrap-based sandboxing for applications- Firefox configuration
- QQ (Chinese messaging app) configuration
- Modular system with reusable components
- Firejail (legacy): SUID-based sandboxing (not used)
- Bubblewrap (
bwraps/): Direct bubblewrap configurations- WeChat sandboxing configuration
Current Implementation Status
| Component | Status | Notes |
|---|---|---|
| AppArmor Profiles | 🚧 WIP | Basic structure in place |
| Nixpak Firefox | ✅ Active | Firefox sandboxing via nixpak |
| Nixpak QQ | ✅ Active | QQ application sandboxing |
| Bubblewrap WeChat | ✅ Active | WeChat specific sandboxing |
| System Profiles | 🚧 WIP | Hardened system configurations |
Directory Structure
hardening/
├── README.md
├── apparmor/ # AppArmor security profiles
│ └── default.nix
├── bwraps/ # Direct bubblewrap configurations
│ ├── default.nix
│ └── wechat.nix
├── nixpaks/ # Nixpak application sandboxing
│ ├── default.nix
│ ├── firefox.nix
│ ├── qq.nix
│ └── modules/ # Reusable nixpak modules
│ ├── gui-base.nix
│ └── network.nix
└── profiles/ # System hardening profiles
└── default.nix
Kernel Hardening
- NixOS Kernel Config: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/kernel/hardened/config.nix
System Hardening
- NixOS Profile: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix
- Apparmor: roddhjav/apparmor.d
- https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
- AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
- But all the profiles of AppArmor assume a FHS filesystem, which caused all apparmor policies takes no effect on NixOS.
- Apparmor on NixOS Roadmap:
- SELinux: too complex, not recommended for personal use.
Application Sandboxing
- Bubblewrap:
nixpak, more secure than firejail, but no batteries included.
- NixOS's FHSEnv is implemented using bubblewrap by default.
- Firejail: A SUID security sandbox with
hundreds of security profiles for many common applications in the default installation.
- https://wiki.nixos.org/wiki/Firejail
- Firejail needs SUID to work, which is considered a security risk - Does firejail improve the security of my system?
- Systemd/Hardening: Systemd also provides some sandboxing features.
NOTE
Running untrusted code is never safe, kernel hardening & sandboxing cannot change this.
If you want to run untrusted code, please use a VM & an isolated network environment, which will provide a much higher level of security.
References
- Harden your NixOS workstation - dataswamp
- Linux Insecurities - Madaidans
- Sandboxing all programs by default - NixOS Discourse
- Paranoid NixOS Setup - xeiaso
- nix-mineral: NixOS module for convenient system hardening.
- apparmor configs:
- Others:
- Directly via
buildFHSUserEnvBubblewrap:
- Directly via