search

squalus / anytype-flake

Nix build for Anytype
BSD Zero Clause License
2 stars 1 forks source link

hardening #2

Open hellodword opened 2 months ago

hellodword commented 2 months ago

How about adding a sandboxed package to enhance security? This software has many dependencies, but I couldn't find any audit details.

Here's the firejail profile that I'm using (just a proof of concept, definitely not the minimal profile):

dbus-system none
ignore dbus-user none
dbus-user filter
dbus-user.talk org.freedesktop.secrets

include electron.profile
include chromium-common-hardened.inc.profile

noblacklist ${HOME}/.config/anytype
whitelist ${HOME}/.config/anytype

I guess a better way is using bubblewrap, but I haven't been able to get it working.

What do you think?

squalus commented 1 month ago

Sounds like a good idea.

hellodword commented 1 month ago

I'm using the master branch of firejail, here is the profile I'm using:

ignore dbus-user none

mkdir ${HOME}/.config/anytype
noblacklist ${HOME}/.config/anytype
whitelist ${HOME}/.config/anytype

# https://github.com/anyproto/anytype-ts/blob/e9bdf53c82e6f7686a42c082072f8a05bc74673b/electron/js/lib/installNativeMessagingHost.js#L152-L155
noblacklist ${HOME}/.config/BraveSoftware/Brave-Browser
mkdir ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts
mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anytype.desktop.json
whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anytype.desktop.json

noblacklist ${HOME}/.config/chromium
mkdir ${HOME}/.config/chromium/NativeMessagingHosts
mkfile ${HOME}/.config/chromium/NativeMessagingHosts/com.anytype.desktop.json
whitelist ${HOME}/.config/chromium/NativeMessagingHosts/com.anytype.desktop.json

noblacklist ${HOME}/.mozilla
mkdir ${HOME}/.mozilla/native-messaging-hosts
mkfile ${HOME}/.mozilla/native-messaging-hosts/com.anytype.desktop.json
whitelist ${HOME}/.mozilla/native-messaging-hosts/com.anytype.desktop.json

dbus-system none
dbus-user filter

dbus-user.talk org.freedesktop.secrets

dbus-user.talk org.fcitx.Fcitx5
dbus-user.talk org.freedesktop.portal.Fcitx
dbus-user.talk org.fcitx.Fcitx.*
dbus-user.talk org.freedesktop.portal.IBus

dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.kde.StatusNotifierItem
dbus-user.talk org.kde.StatusNotifierWatcher
?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher

include electron-common.profile
include electron-common-hardened.inc.profile

But the firejail works with setuid, so I can't wrap it with pkgs.firejail, I'm doing this in a very dirty way.

Any suggestions?

squalus commented 1 month ago

If it needs setuid then it's probably not viable for an application like this. Bubblewrap sounds like a better option. I see some packages using it in upstream nixpkgs. (I have not researched this much myself.)