Browse Source

sandbox and shell changes

master
parent
commit
a9a614d264
Signed by: govanify GPG Key ID: DE62E1E2A6145556
15 changed files with 34 additions and 45 deletions
  1. +1
    -2
      README.md
  2. +4
    -2
      common/default.nix
  3. +2
    -1
      common/graphical.nix
  4. +1
    -7
      common/sandboxing.nix
  5. +1
    -0
      common/security.nix
  6. +5
    -0
      common/users.nix
  7. +1
    -0
      common/xdg.nix
  8. +6
    -12
      doc/design.txt
  9. +1
    -0
      dotfiles/clone-pass.sh
  10. +1
    -1
      dotfiles/graphical/sway-laptop/locale.sh
  11. +1
    -1
      dotfiles/graphical/sway/locale.sh
  12. +1
    -1
      dotfiles/mail/mutt/mailsync.sh
  13. +7
    -0
      pkgs/fish.nix
  14. +2
    -0
      pkgs/tmux.nix
  15. +0
    -18
      pkgs/zsh.nix

+ 1
- 2
README.md View File

@ -5,7 +5,6 @@ files handling my own internal infrastructure.
Currently the machines populated by this configuration are:
* alastor
* xanadu

+ 4
- 2
common/default.nix View File

@ -10,7 +10,7 @@
https://github.com/rycee/home-manager/archive/master.tar.gz}/nixos")
./../secrets/deployment.nix
./../pkgs/vim.nix
./../pkgs/zsh.nix
./../pkgs/fish.nix
./../pkgs/tmux.nix
];
@ -18,9 +18,11 @@
# basic set of tools & ssh
environment.systemPackages = with pkgs; [
wget neovim tmux git git-crypt
rsync imagemagick mosh gnupg
rsync imagemagick mosh gnupg manpages
];
documentation.dev.enable = true;
# need to find a way to make it work through TCP thanks to tor
programs.mosh.enable = true;
services.openssh = {

+ 2
- 1
common/graphical.nix View File

@ -35,7 +35,8 @@
ardour
# stem
#freecad
kicad wireshark sourcetrail pandoc
kicad wireshark pandoc limesuite
# sourcetrail
# recording/streaming
obs-studio obs-wlrobs obs-v4l2sink

+ 1
- 7
common/sandboxing.nix View File

@ -1,11 +1,5 @@
{ config, pkgs, ... }:
{
programs.firejail = {
enable = true;
wrappedBinaries = {
mpv = "${pkgs.mpv}/bin/mpv";
};
};
# TODO: AppArmor profiles
}

+ 1
- 0
common/security.nix View File

@ -32,5 +32,6 @@ in {
# any hardened allocator doesn't even let me boot
#environment.memoryAllocator.provider = "graphene-hardened";
security.allowSimultaneousMultithreading = true;
nix.useSandbox = true;
}

+ 5
- 0
common/users.nix View File

@ -23,5 +23,10 @@
};
};
# for nix builders
home-manager.users.root = {
home.file.".config/ssh/authorized_keys".source = ./../secrets/authorized_keys;
};
}

+ 1
- 0
common/xdg.nix View File

@ -82,6 +82,7 @@
XDG_DATA_HOME = "$HOME/.local/share";
LESSKEY = "$XDG_CONFIG_HOME/less/lesskey";
LESSHISTFILE = "-";
HISTFILE = "$HOME/.local/share/bash_history";
ZDOTDIR = "$XDG_CONFIG_HOME/zsh";
CARGO_HOME = "$XDG_DATA_HOME/cargo";
WINEPREFIX = "$HOME/.local/share/wineprefixes/default";

+ 6
- 12
doc/design.txt View File

@ -27,10 +27,10 @@ This can of course be modified to fit your environment. I found this setup to be
the most useful when proceeding to researching theoretical sciences and writing
papers.
Some apps are sandboxed by default using the firejail sandbox application but
Some apps are sandboxed by default using apparmor profiles but
not all of them. For example, zsh is not sandboxed by default. In the example up
above, to start a sandboxed shell, you would have to explicitely type `firejail
zsh`.
above, to start a sandboxed shell, you would have to explicitely type
`sandboxed_sh` (or whatever this ends up being named).
When the program is sandboxed by default though, it proceeds on a whitelist
basis(blacklisting any filesystem paths it doesn't need) and cuts off the
network along with disabling as much attack surface as possible.
@ -93,14 +93,8 @@ The security of each of those components will be further discussed later on.
CLI apps are usually preferred as they are easier to fuzz, usually snappier on
lower end machines and integrate well with this setup overall.
The security architecture is overall sandbox based using firejail. Firejail was
preferred over bwrap as filesystem whitelisting et al is supported by default
and it is easier to set it up overall. The attack surface of firejail is
relatively constrained by dropping privileges most of the time and most
attacks rely on the fact that firejail is an SUID program which could lead to an
LPE _outside_ of the sandbox, which is not a threat model considered as headfull
systems are mostly not multi-user.
Firejail sandbox should be defined on a whitelist basis and to block everything
The security architecture is overall sandbox based using AppArmor.
AppArmor sandbox should be defined on a whitelist basis and to block everything
by default, and unblock as an application needs it. The "standard" jail ran for
programs with no profile cuts off internet, dbus and sensitive files which could
lead to, say, code execution. This for sure is not a silver bullet but I believe
@ -160,7 +154,7 @@ user processes and daemons:
* firefox is constantly fuzzed both publically and privately by state-level
threat actors and should be considered to be broken. Firefox is
sandboxed by default with firejail on top of the per-tab sandbox(which uses
sandboxed by default with apparmor on top of the per-tab sandbox(which uses
the same technology) and disables JavasScript and trackable medias by default,
which makes it MUCH harder, if not impossible to get an RCE. This is even more
true on firefox since a good portion of the application is being ported to

+ 1
- 0
dotfiles/clone-pass.sh View File

@ -1,3 +1,4 @@
#!/bin/sh
while [ ! -d ~/.config/pass ]
do
git clone git@code.govanify.com:govanify/passwords.git ~/.config/pass

+ 1
- 1
dotfiles/graphical/sway-laptop/locale.sh View File

@ -1,4 +1,4 @@
#!/usr/bin/env bash
#!/bin/sh
engine=$(ibus engine)
if [ "${engine}" == "mozc-jp" ] || [ "${engine}" == "xkb:jp::jpn" ]
then

+ 1
- 1
dotfiles/graphical/sway/locale.sh View File

@ -1,4 +1,4 @@
#!/usr/bin/env bash
#!/bin/sh
engine=$(ibus engine)
if [ "${engine}" == "mozc-jp" ] || [ "${engine}" == "xkb:jp::jpn" ]
then

+ 1
- 1
dotfiles/mail/mutt/mailsync.sh View File

@ -1,4 +1,4 @@
#!/usr/bin/env sh
#!/bin/sh
# Run only if user logged in (prevent cron errors)
pgrep -u "${USER:=$LOGNAME}" >/dev/null || { echo "$USER not logged in; sync will not run."; exit ;}

+ 7
- 0
pkgs/fish.nix View File

@ -0,0 +1,7 @@
{ config, pkgs, lib, ... }: {
users.defaultUserShell = pkgs.fish;
programs.fish = {
enable = true;
#plugins = [ "git" "common-aliases" "dirhistory" "pip" "python" "sudo" ];
};
}

+ 2
- 0
pkgs/tmux.nix View File

@ -11,6 +11,8 @@
set -g @continuum-restore 'on'
set -g @continuum-boot 'on'
set -sg escape-time 10
set -g default-shell "${pkgs.fish}/bin/fish"
set -g default-command "${pkgs.fish}/bin/fish"
'';
};

+ 0
- 18
pkgs/zsh.nix View File

@ -1,18 +0,0 @@
{ config, pkgs, lib, ... }: {
users.defaultUserShell = pkgs.zsh;
programs.zsh = {
enable = true;
ohMyZsh = {
enable = true;
plugins = [ "git" "common-aliases" "dirhistory" "pip" "python" "sudo" ];
theme = "robbyrussell";
};
histFile = "$XDG_DATA_HOME/zsh/history";
# we unloaded the pulseaudio module already so this file shouldn't be used
# after startup. VERY hacky but oh well
interactiveShellInit = ''
mkdir -p $XDG_DATA_HOME/zsh &> /dev/null
compinit -d $XDG_CACHE_HOME/zsh/zcompdump-$ZSH_VERSION
'';
};
}

Loading…
Cancel
Save