feat: add WeChat(UOS) sandboxed

fix: mkdir - persist qq's config feat: update kernel params for nvidia
ryan4yin · Nov 13, 2024 · ab8fd42 · ab8fd42
1 parent fd776a0
commit ab8fd42
Show file tree

Hide file tree

Showing 9 changed files with 125 additions and 5 deletions.
diff --git a/Justfile b/Justfile
@@ -381,6 +381,10 @@ emacs-reload:
 path:
    $env.PATH | split row ":"
 
+[group('common')]
+trace-access app *args:
+  strace -f -t -e trace=file {{app}} {{args}} | complete | $in.stderr | lines | find -v -r "(/nix/store|/newroot|/proc)" | parse --regex '"(/.+)"' | sort | uniq
+
 [linux]
 [group('common')]
 penvof pid:

diff --git a/hardening/nixpaks/default.nix b/hardening/nixpaks/default.nix
@@ -22,6 +22,9 @@ in {
         qq = wrapper super ./qq.nix;
         qq-desktop-item = super.callPackage ./qq-desktop-item.nix {};
 
+        wechat-uos = wrapper super ./wechat-uos.nix;
+        wechat-uos-desktop-item = super.callPackage ./wechat-uos-desktop-item.nix {};
+
         firefox = wrapper super ./firefox.nix;
         firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {};
       };

diff --git a/hardening/nixpaks/firefox.nix b/hardening/nixpaks/firefox.nix
@@ -37,10 +37,15 @@ mkNixPak {
     };
 
     bubblewrap = {
+      # To trace all the home files QQ accesses, you can use the following nushell command:
+      #   just trace-access firefox
+      # See the Justfile in the root of this repository for more information.
       bind.rw = [
-        (sloth.concat' sloth.homeDir "/.mozilla")
-        (sloth.concat' sloth.homeDir "/Downloads")
+        # given the read write permission to the following directories.
+        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
+        (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla"))
 
+        sloth.xdgDownloadDir
         # ================ for externsions ===============================
         # required by https://github.com/browserpass/browserpass-extension
         (sloth.concat' sloth.homeDir "/.local/share/password-store") # pass

diff --git a/hardening/nixpaks/qq-desktop-item.nix b/hardening/nixpaks/qq-desktop-item.nix
@@ -7,7 +7,9 @@ makeDesktopItem {
   desktopName = "QQ";
   exec = "qq %U";
   terminal = false;
-  # icon = "qq";
+  # To find the icon name(nushell):
+  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#qq.outPath | str trim --char '"'
+  #   tree $"($p)/share/icons"
   icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
   type = "Application";
   categories = ["Network"];

diff --git a/hardening/nixpaks/qq.nix b/hardening/nixpaks/qq.nix
@@ -34,8 +34,13 @@ mkNixPak {
       "org.kde.StatusNotifierWatcher" = "talk";
     };
     bubblewrap = {
+      # To trace all the home files QQ accesses, you can use the following nushell command:
+      #   just trace-access qq
+      # See the Justfile in the root of this repository for more information.
       bind.rw = [
-        (sloth.concat [sloth.xdgConfigHome "/QQ"])
+        # given the read write permission to the following directories.
+        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
+        (sloth.mkdir (sloth.concat [sloth.xdgConfigHome "/QQ"]))
         (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/QQ"]))
       ];
       sockets = {

diff --git a/hardening/nixpaks/wechat-uos-desktop-item.nix b/hardening/nixpaks/wechat-uos-desktop-item.nix
@@ -0,0 +1,17 @@
+{
+  makeDesktopItem,
+  wechat-uos,
+}:
+makeDesktopItem {
+  name = "wechat";
+  desktopName = "WeChat";
+  exec = "wechat-uos %U";
+  terminal = false;
+  # To find the icon name(nushell):
+  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#wechat-uos.outPath | str trim --char '"'
+  #   tree $"($p)/share/icons"
+  icon = "${wechat-uos}/share/icons/hicolor/256x256/apps/com.tencent.wechat.png";
+  type = "Application";
+  categories = ["Network"];
+  comment = "Wechat boxed";
+}
diff --git a/hardening/nixpaks/wechat-uos.nix b/hardening/nixpaks/wechat-uos.nix
@@ -0,0 +1,73 @@
+# TODO: wechat-uos is running in FHS sandbox by default, it's problematic
+#   to wrap it again via flatpak. We need to find a way to fix it.
+#   https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat-uos/package.nix
+# Refer:
+# - Flatpak manifest's docs:
+#   - https://docs.flatpak.org/en/latest/manifests.html
+#   - https://docs.flatpak.org/en/latest/sandbox-permissions.html
+# - wechat-uos's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml
+{
+  lib,
+  pkgs,
+  mkNixPak,
+  ...
+}:
+mkNixPak {
+  config = {sloth, ...}: {
+    app = {
+      package = pkgs.wechat-uos;
+      binPath = "bin/wechat-uos";
+    };
+    flatpak.appId = "com.tencent.WeChat";
+
+    imports = [
+      ./modules/gui-base.nix
+      ./modules/network.nix
+    ];
+
+    # list all dbus services:
+    #   ls -al /run/current-system/sw/share/dbus-1/services/
+    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
+    dbus.policies = {
+      "org.gnome.Shell.Screencast" = "talk";
+      # System tray icon
+      "org.freedesktop.Notifications" = "talk";
+      "org.kde.StatusNotifierWatcher" = "talk";
+      # File Manager
+      "org.freedesktop.FileManager1" = "talk";
+      # Uses legacy StatusNotifier implementation
+      "org.kde.*" = "own";
+    };
+    bubblewrap = {
+      # To trace all the home files QQ accesses, you can use the following nushell command:
+      #   just trace-access wechat-uos
+      # See the Justfile in the root of this repository for more information.
+      bind.rw = [
+        # given the read write permission to the following directories.
+        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
+        (sloth.mkdir (sloth.concat [sloth.homeDir "/.xwechat"]))
+        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/xwechat_files"]))
+        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/WeChat_Data/"]))
+        (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/WeChat"]))
+      ];
+      sockets = {
+        x11 = false;
+        wayland = true;
+        pipewire = true;
+      };
+      bind.dev = [
+        "/dev/shm" # Shared Memory
+      ];
+      tmpfs = [
+        "/tmp"
+      ];
+
+      env = {
+        # Hidpi scale
+        "QT_AUTO_SCREEN_SCALE_FACTOR" = "1";
+        # Only supports xcb
+        "QT_QPA_PLATFORM" = "kcb";
+      };
+    };
+  };
+}
diff --git a/home/linux/gui/base/misc.nix b/home/linux/gui/base/misc.nix
@@ -24,6 +24,10 @@
     # my custom hardened packages
     pkgs.nixpaks.qq
     pkgs.nixpaks.qq-desktop-item
+
+    wechat-uos
+    # pkgs.nixpaks.wechat-uos
+    # pkgs.nixpaks.wechat-uos-desktop-item
   ];
 
   # GitHub CLI tool

diff --git a/hosts/idols-ai/nvidia.nix b/hosts/idols-ai/nvidia.nix
@@ -3,7 +3,13 @@
   # for Nvidia GPU
   # ===============================================================================================
 
-  boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"];
+  # https://wiki.hyprland.org/Nvidia/
+  boot.kernelParams = [
+    "nvidia.NVreg_PreserveVideoMemoryAllocations=1"
+    # Since NVIDIA does not load kernel mode setting by default,
+    # enabling it is required to make Wayland compositors function properly.
+    "nvidia-drm.fbdev=1"
+  ];
   services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default
   hardware.nvidia = {
     open = false;
@@ -15,6 +21,7 @@
     modesetting.enable = true;
     powerManagement.enable = true;
   };
+
   hardware.nvidia-container-toolkit.enable = true;
   hardware.graphics = {
     enable = true;