Is it possible to introduce a sandbox mode for applications?

michaelCTS · September 20, 2023, 11:53am

While nix improves on multiple things (declaritive config, running multiple versions of software is possible, reproducibility, “immutable” filesystem, etc.), I haven’t read nor heard about a permission system of sandbox for running applications.

Tools like flatpak and snap are making good progress on that front and making it possible have more of a smartphone model for apps, which IMO is a great improvement to security.

Has this been discussed or brought up for nix? I imagine something like this could be possible

programs.firefox = {
  enable = true;
  defaultPermissions = [
    "network"
    "gui:wayland"
    "gui:x11"
    "audio:mic"
    "audio:speakers"
  ];
  optionalPermissions = [
    "filesystem:all"
    "notifications"
  ];
};

For backwards compatibility applications could have defaultPermissions = [ "all" ]; while certain apps are migrated towards the permission system.

As for implementation, I don’t know enough about it, but eBPF and SEL maybe? As I said, no experience with this kind of stuff except as a user.

raboof · September 20, 2023, 12:40pm

I think something like this would be incredibly useful, especially if it could also be made to work smoothly for ad-hoc environments (nix-shell etc).

I’m currently using some bubblewrap scripts inspired by ~fgaz/nix-bubblewrap - Nix - bubblewrap integration - sourcehut git , but that’s not in a state where I can share it yet.

I’ve been meaning to look into GitHub - nixpak/nixpak: Runtime sandboxing for Nix but haven’t found the time yet.

ttamttam1 · September 20, 2023, 12:54pm

I think the best thing to do here is encourage adoption of Apparmor from package maintainers. For existing options I think firejail is your best bet. And of course you can always use flatpak. Honorable mentions go to systemd-run and nixos containers, which aren’t secure by default but can be made so. Given the amount of options, I’m not sure it’s worth adding even more. But something like what you’ve shown above would be up to the package maintainers anyways AFAICT.

TLATER · September 20, 2023, 1:21pm

Also alternatively; proper integration for flatpak into NixOS could allow for this kind of thing without reinventing the wheel.

ttamttam1 · September 20, 2023, 2:02pm

Is there any existing discussion you’re aware of for what constitutes proper flatpak integration? I’ve only ever had a few issues using flatpak and Nixos together. Aside from breaking my .desktop files when flatpak updates, all I can think of that’s missing is declarative flatpaks, which couldn’t be pure anyways and probably belong in home manager instead.

TLATER · September 20, 2023, 2:35pm

That’s what I’d like, including declarative configuration of permissions and such. It doesn’t actually have to be pure, just more dclaratively controlled, and I don’t think it needs to be confined to home-manager.

How exactly that is to be achieved is a different question

ttamttam1 · September 20, 2023, 2:44pm

You’re right on all accounts, not sure where I was going with the purity/home manager thought train.
On a separate note nixpak looks very cool, I’ll have to give it a try when I find the time.