From ab8fd424d80cb294384947675f76ba2f6989e5d4 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Wed, 13 Nov 2024 20:23:32 +0800 Subject: [PATCH] feat: add WeChat(UOS) sandboxed fix: mkdir - persist qq's config feat: update kernel params for nvidia --- Justfile | 4 + hardening/nixpaks/default.nix | 3 + hardening/nixpaks/firefox.nix | 9 ++- hardening/nixpaks/qq-desktop-item.nix | 4 +- hardening/nixpaks/qq.nix | 7 +- hardening/nixpaks/wechat-uos-desktop-item.nix | 17 +++++ hardening/nixpaks/wechat-uos.nix | 73 +++++++++++++++++++ home/linux/gui/base/misc.nix | 4 + hosts/idols-ai/nvidia.nix | 9 ++- 9 files changed, 125 insertions(+), 5 deletions(-) create mode 100644 hardening/nixpaks/wechat-uos-desktop-item.nix create mode 100644 hardening/nixpaks/wechat-uos.nix diff --git a/Justfile b/Justfile index 0b0926f5..de855b79 100644 --- a/Justfile +++ b/Justfile @@ -381,6 +381,10 @@ emacs-reload: path: $env.PATH | split row ":" +[group('common')] +trace-access app *args: + strace -f -t -e trace=file {{app}} {{args}} | complete | $in.stderr | lines | find -v -r "(/nix/store|/newroot|/proc)" | parse --regex '"(/.+)"' | sort | uniq + [linux] [group('common')] penvof pid: diff --git a/hardening/nixpaks/default.nix b/hardening/nixpaks/default.nix index 4230b667..09d7e483 100644 --- a/hardening/nixpaks/default.nix +++ b/hardening/nixpaks/default.nix @@ -22,6 +22,9 @@ in { qq = wrapper super ./qq.nix; qq-desktop-item = super.callPackage ./qq-desktop-item.nix {}; + wechat-uos = wrapper super ./wechat-uos.nix; + wechat-uos-desktop-item = super.callPackage ./wechat-uos-desktop-item.nix {}; + firefox = wrapper super ./firefox.nix; firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {}; }; diff --git a/hardening/nixpaks/firefox.nix b/hardening/nixpaks/firefox.nix index 5111f1dc..59fbc4d6 100644 --- a/hardening/nixpaks/firefox.nix +++ b/hardening/nixpaks/firefox.nix @@ -37,10 +37,15 @@ mkNixPak { }; bubblewrap = { + # To trace all the home files QQ accesses, you can use the following nushell command: + # just trace-access firefox + # See the Justfile in the root of this repository for more information. bind.rw = [ - (sloth.concat' sloth.homeDir "/.mozilla") - (sloth.concat' sloth.homeDir "/Downloads") + # given the read write permission to the following directories. + # NOTE: sloth.mkdir is used to create the directory if it does not exist! + (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla")) + sloth.xdgDownloadDir # ================ for externsions =============================== # required by https://github.com/browserpass/browserpass-extension (sloth.concat' sloth.homeDir "/.local/share/password-store") # pass diff --git a/hardening/nixpaks/qq-desktop-item.nix b/hardening/nixpaks/qq-desktop-item.nix index 5661a3d7..9ee0b9e9 100644 --- a/hardening/nixpaks/qq-desktop-item.nix +++ b/hardening/nixpaks/qq-desktop-item.nix @@ -7,7 +7,9 @@ makeDesktopItem { desktopName = "QQ"; exec = "qq %U"; terminal = false; - # icon = "qq"; + # To find the icon name(nushell): + # let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#qq.outPath | str trim --char '"' + # tree $"($p)/share/icons" icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png"; type = "Application"; categories = ["Network"]; diff --git a/hardening/nixpaks/qq.nix b/hardening/nixpaks/qq.nix index 51ed7971..47194d21 100644 --- a/hardening/nixpaks/qq.nix +++ b/hardening/nixpaks/qq.nix @@ -34,8 +34,13 @@ mkNixPak { "org.kde.StatusNotifierWatcher" = "talk"; }; bubblewrap = { + # To trace all the home files QQ accesses, you can use the following nushell command: + # just trace-access qq + # See the Justfile in the root of this repository for more information. bind.rw = [ - (sloth.concat [sloth.xdgConfigHome "/QQ"]) + # given the read write permission to the following directories. + # NOTE: sloth.mkdir is used to create the directory if it does not exist! + (sloth.mkdir (sloth.concat [sloth.xdgConfigHome "/QQ"])) (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/QQ"])) ]; sockets = { diff --git a/hardening/nixpaks/wechat-uos-desktop-item.nix b/hardening/nixpaks/wechat-uos-desktop-item.nix new file mode 100644 index 00000000..e6bb09f4 --- /dev/null +++ b/hardening/nixpaks/wechat-uos-desktop-item.nix @@ -0,0 +1,17 @@ +{ + makeDesktopItem, + wechat-uos, +}: +makeDesktopItem { + name = "wechat"; + desktopName = "WeChat"; + exec = "wechat-uos %U"; + terminal = false; + # To find the icon name(nushell): + # let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#wechat-uos.outPath | str trim --char '"' + # tree $"($p)/share/icons" + icon = "${wechat-uos}/share/icons/hicolor/256x256/apps/com.tencent.wechat.png"; + type = "Application"; + categories = ["Network"]; + comment = "Wechat boxed"; +} diff --git a/hardening/nixpaks/wechat-uos.nix b/hardening/nixpaks/wechat-uos.nix new file mode 100644 index 00000000..3308b9e9 --- /dev/null +++ b/hardening/nixpaks/wechat-uos.nix @@ -0,0 +1,73 @@ +# TODO: wechat-uos is running in FHS sandbox by default, it's problematic +# to wrap it again via flatpak. We need to find a way to fix it. +# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat-uos/package.nix +# Refer: +# - Flatpak manifest's docs: +# - https://docs.flatpak.org/en/latest/manifests.html +# - https://docs.flatpak.org/en/latest/sandbox-permissions.html +# - wechat-uos's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml +{ + lib, + pkgs, + mkNixPak, + ... +}: +mkNixPak { + config = {sloth, ...}: { + app = { + package = pkgs.wechat-uos; + binPath = "bin/wechat-uos"; + }; + flatpak.appId = "com.tencent.WeChat"; + + imports = [ + ./modules/gui-base.nix + ./modules/network.nix + ]; + + # list all dbus services: + # ls -al /run/current-system/sw/share/dbus-1/services/ + # ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/ + dbus.policies = { + "org.gnome.Shell.Screencast" = "talk"; + # System tray icon + "org.freedesktop.Notifications" = "talk"; + "org.kde.StatusNotifierWatcher" = "talk"; + # File Manager + "org.freedesktop.FileManager1" = "talk"; + # Uses legacy StatusNotifier implementation + "org.kde.*" = "own"; + }; + bubblewrap = { + # To trace all the home files QQ accesses, you can use the following nushell command: + # just trace-access wechat-uos + # See the Justfile in the root of this repository for more information. + bind.rw = [ + # given the read write permission to the following directories. + # NOTE: sloth.mkdir is used to create the directory if it does not exist! + (sloth.mkdir (sloth.concat [sloth.homeDir "/.xwechat"])) + (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/xwechat_files"])) + (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/WeChat_Data/"])) + (sloth.mkdir (sloth.concat [sloth.xdgDownloadDir "/WeChat"])) + ]; + sockets = { + x11 = false; + wayland = true; + pipewire = true; + }; + bind.dev = [ + "/dev/shm" # Shared Memory + ]; + tmpfs = [ + "/tmp" + ]; + + env = { + # Hidpi scale + "QT_AUTO_SCREEN_SCALE_FACTOR" = "1"; + # Only supports xcb + "QT_QPA_PLATFORM" = "kcb"; + }; + }; + }; +} diff --git a/home/linux/gui/base/misc.nix b/home/linux/gui/base/misc.nix index 20e3e4ce..ee70f0ae 100644 --- a/home/linux/gui/base/misc.nix +++ b/home/linux/gui/base/misc.nix @@ -24,6 +24,10 @@ # my custom hardened packages pkgs.nixpaks.qq pkgs.nixpaks.qq-desktop-item + + wechat-uos + # pkgs.nixpaks.wechat-uos + # pkgs.nixpaks.wechat-uos-desktop-item ]; # GitHub CLI tool diff --git a/hosts/idols-ai/nvidia.nix b/hosts/idols-ai/nvidia.nix index f5a35af3..ab9acde8 100644 --- a/hosts/idols-ai/nvidia.nix +++ b/hosts/idols-ai/nvidia.nix @@ -3,7 +3,13 @@ # for Nvidia GPU # =============================================================================================== - boot.kernelParams = ["nvidia.NVreg_PreserveVideoMemoryAllocations=1"]; + # https://wiki.hyprland.org/Nvidia/ + boot.kernelParams = [ + "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + # Since NVIDIA does not load kernel mode setting by default, + # enabling it is required to make Wayland compositors function properly. + "nvidia-drm.fbdev=1" + ]; services.xserver.videoDrivers = ["nvidia"]; # will install nvidia-vaapi-driver by default hardware.nvidia = { open = false; @@ -15,6 +21,7 @@ modesetting.enable = true; powerManagement.enable = true; }; + hardware.nvidia-container-toolkit.enable = true; hardware.graphics = { enable = true;