sandbox and shell changes

1 month ago · a9a614d264
--- a/README.md
+++ b/README.md
@ -5,7 +5,6 @@ files handling my own internal infrastructure.

 Currently the machines populated by this configuration are:

 * alastor
 * xanadu



--- a/common/default.nix
+++ b/common/default.nix
@ -10,7 +10,7 @@
    https://github.com/rycee/home-manager/archive/master.tar.gz}/nixos")
    ./../secrets/deployment.nix
    ./../pkgs/vim.nix
    ./../pkgs/zsh.nix
    ./../pkgs/fish.nix
    ./../pkgs/tmux.nix
  ];

@ -18,9 +18,11 @@
  # basic set of tools & ssh
  environment.systemPackages = with pkgs; [
    wget neovim tmux git git-crypt 
    rsync imagemagick mosh gnupg
    rsync imagemagick mosh gnupg manpages
  ];

  documentation.dev.enable = true;

  # need to find a way to make it work through TCP thanks to tor
  programs.mosh.enable = true;
  services.openssh = {
--- a/common/graphical.nix
+++ b/common/graphical.nix
@ -35,7 +35,8 @@
      ardour
      # stem
      #freecad 
      kicad wireshark sourcetrail pandoc
      kicad wireshark pandoc limesuite
      # sourcetrail
      # recording/streaming
      obs-studio obs-wlrobs obs-v4l2sink

--- a/common/sandboxing.nix
+++ b/common/sandboxing.nix
@ -1,11 +1,5 @@
 { config, pkgs, ... }:
 {
  programs.firejail = {
    enable = true;
    wrappedBinaries = {
      mpv = "${pkgs.mpv}/bin/mpv";
    };
 };

 # TODO: AppArmor profiles
 }

--- a/common/security.nix
+++ b/common/security.nix
@ -32,5 +32,6 @@ in {
  # any hardened allocator doesn't even let me boot
  #environment.memoryAllocator.provider = "graphene-hardened";
  security.allowSimultaneousMultithreading = true;
  nix.useSandbox = true;
 }

--- a/common/users.nix
+++ b/common/users.nix
@ -23,5 +23,10 @@
     };
   };

   # for nix builders
   home-manager.users.root = {
    home.file.".config/ssh/authorized_keys".source  = ./../secrets/authorized_keys;
     };

 }

--- a/common/xdg.nix
+++ b/common/xdg.nix
@ -82,6 +82,7 @@
    XDG_DATA_HOME = "$HOME/.local/share";
    LESSKEY = "$XDG_CONFIG_HOME/less/lesskey";
    LESSHISTFILE = "-";
    HISTFILE = "$HOME/.local/share/bash_history";
    ZDOTDIR = "$XDG_CONFIG_HOME/zsh";
    CARGO_HOME = "$XDG_DATA_HOME/cargo";
    WINEPREFIX = "$HOME/.local/share/wineprefixes/default";
--- a/doc/design.txt
+++ b/doc/design.txt
@ -27,10 +27,10 @@ This can of course be modified to fit your environment. I found this setup to be
 the most useful when proceeding to researching theoretical sciences and writing
 papers.

 Some apps are sandboxed by default using the firejail sandbox application but
 Some apps are sandboxed by default using apparmor profiles but
 not all of them. For example, zsh is not sandboxed by default. In the example up
 above, to start a sandboxed shell, you would have to explicitely type `firejail
 zsh`.
 above, to start a sandboxed shell, you would have to explicitely type
 `sandboxed_sh` (or whatever this ends up being named).
 When the program is sandboxed by default though, it proceeds on a whitelist
 basis(blacklisting any filesystem paths it doesn't need) and cuts off the
 network along with disabling as much attack surface as possible.
@ -93,14 +93,8 @@ The security of each of those components will be further discussed later on.
 CLI apps are usually preferred as they are easier to fuzz, usually snappier on
 lower end machines and integrate well with this setup overall.

 The security architecture is overall sandbox based using firejail. Firejail was
 preferred over bwrap as filesystem whitelisting et al is supported by default
 and it is easier to set it up overall. The attack surface of firejail is
 relatively constrained by dropping privileges most of the time and most
 attacks rely on the fact that firejail is an SUID program which could lead to an
 LPE _outside_ of the sandbox, which is not a threat model considered as headfull
 systems are mostly not multi-user.
 Firejail sandbox should be defined on a whitelist basis and to block everything
 The security architecture is overall sandbox based using AppArmor. 
 AppArmor sandbox should be defined on a whitelist basis and to block everything
 by default, and unblock as an application needs it. The "standard" jail ran for
 programs with no profile cuts off internet, dbus and sensitive files which could
 lead to, say, code execution. This for sure is not a silver bullet but I believe
@ -160,7 +154,7 @@ user processes and daemons:

 * firefox is constantly fuzzed both publically and privately by state-level
  threat actors and should be considered to be broken. Firefox is
  sandboxed by default with firejail on top of the per-tab sandbox(which uses
  sandboxed by default with apparmor on top of the per-tab sandbox(which uses
  the same technology) and disables JavasScript and trackable medias by default,
  which makes it MUCH harder, if not impossible to get an RCE. This is even more
  true on firefox since a good portion of the application is being ported to
--- a/dotfiles/clone-pass.sh
+++ b/dotfiles/clone-pass.sh
@ -1,3 +1,4 @@
 #!/bin/sh
 while [ ! -d ~/.config/pass ]
 do
    git clone git@code.govanify.com:govanify/passwords.git ~/.config/pass
--- a/dotfiles/graphical/sway-laptop/locale.sh
+++ b/dotfiles/graphical/sway-laptop/locale.sh
@ -1,4 +1,4 @@
 #!/usr/bin/env bash
 #!/bin/sh
 engine=$(ibus engine)
 if [ "${engine}" == "mozc-jp" ] || [ "${engine}" == "xkb:jp::jpn" ]
 then
--- a/dotfiles/graphical/sway/locale.sh
+++ b/dotfiles/graphical/sway/locale.sh
@ -1,4 +1,4 @@
 #!/usr/bin/env bash
 #!/bin/sh
 engine=$(ibus engine)
 if [ "${engine}" == "mozc-jp" ] || [ "${engine}" == "xkb:jp::jpn" ]
 then
--- a/dotfiles/mail/mutt/mailsync.sh
+++ b/dotfiles/mail/mutt/mailsync.sh
@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 #!/bin/sh

 # Run only if user logged in (prevent cron errors)
 pgrep -u "${USER:=$LOGNAME}" >/dev/null || { echo "$USER not logged in; sync will not run."; exit ;}
--- a/pkgs/fish.nix
+++ b/pkgs/fish.nix
@ -0,0 +1,7 @@
 { config, pkgs, lib, ... }: {
  users.defaultUserShell = pkgs.fish; 
  programs.fish = {
    enable = true;
    #plugins = [ "git" "common-aliases" "dirhistory" "pip" "python" "sudo" ];
  };
 }
--- a/pkgs/tmux.nix
+++ b/pkgs/tmux.nix
@ -11,6 +11,8 @@
        set -g @continuum-restore 'on'
        set -g @continuum-boot 'on'
        set -sg escape-time 10
        set -g default-shell "${pkgs.fish}/bin/fish"
        set -g default-command "${pkgs.fish}/bin/fish"
      '';

    };
--- a/pkgs/zsh.nix
+++ b/pkgs/zsh.nix
@ -1,18 +0,0 @@
 { config, pkgs, lib, ... }: {
  users.defaultUserShell = pkgs.zsh; 
  programs.zsh = {
    enable = true;
    ohMyZsh = { 
      enable = true;
      plugins = [ "git" "common-aliases" "dirhistory" "pip" "python" "sudo" ];
      theme = "robbyrussell";
    };
    histFile = "$XDG_DATA_HOME/zsh/history";
    # we unloaded the pulseaudio module already so this file shouldn't be used
    # after startup. VERY hacky but oh well
    interactiveShellInit =  ''
      mkdir -p $XDG_DATA_HOME/zsh &> /dev/null
      compinit -d $XDG_CACHE_HOME/zsh/zcompdump-$ZSH_VERSION
    '';
  };
 }