Firejail: Difference between revisions

← Older edit

Firejail (view source)

Revision as of 21:01, 25 June 2024

3,611 bytes added , Tuesday at 21:01

m

→‎Torify application traffic

VisualWikitext

Klinger

trusted

596

edits

@@ Line 44: / Line 44: @@
      };
      signal-desktop = {
-       executable = "${pkgs.signal-desktop}/bin/signal-desktop --enable-features=UseOzonePlatform --ozone-platform=wayland";
+      # Enable tray icon otherwise Signal window might be hidden
+       executable = "${pkgs.signal-desktop}/bin/signal-desktop --use-tray-icon";
        profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
-       extraArgs = [ "--env=LC_ALL=C" "--env=GTK_THEME=Adwaita:dark" ];
+       extraArgs = [
+        # Enforce dark mode
+        "--env=GTK_THEME=Adwaita:dark"
+        # Enable Wayland mode
+        "--env=NIXOS_OZONE_WL=1"
+        # Allow tray icon (should be upstreamed into signal-desktop.profile)
+        "--dbus-user.talk=org.kde.StatusNotifierWatcher"
+      ];
      };
    };
@@ Line 70: / Line 78: @@
 networking = {
+  useNetworkd = true;
    bridges."tornet".interfaces = [];
-   interfaces.tornet.ipv4.addresses = [{
+   nftables = {
-    address = "10.100.100.1";
+    enable = true;
-     prefixLength = 24;
+    ruleset = ''
-   }];
+      table ip nat {
+        chain PREROUTING {
+          type nat hook prerouting priority dstnat; policy accept;
+          iifname "tornet" meta l4proto tcp dnat to 127.0.0.1:9040
+          iifname "tornet" udp dport 53 dnat to 127.0.0.1:5353
+        }
+      }
+    '';
+  };
+  nat = {
+    internalInterfaces = [ "tornet " ];
+    forwardPorts = [
+      {
+        destination = "127.0.0.1:5353";
+        proto = "udp";
+        sourcePort = 53;
+      }
+     ];
+   };
    firewall = {
      enable = true;
@@ Line 81: / Line 108: @@
        allowedUDPPorts = [ 5353 ];
      };
-     extraCommands = ''
+  };
-       iptables -t nat -A PREROUTING -i tornet -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
+};
-       iptables -t nat -A PREROUTING -i tornet -p tcp -j DNAT --to-destination 127.0.0.1:9040
-     '';
+systemd.network = {
+  enable = true;
+  networks.tornet = {
+    matchConfig.Name = "tornet";
+     DHCP = "no";
+    networkConfig = {
+       ConfigureWithoutCarrier = true;
+       Address = "10.100.100.1/24";
+    };
+     linkConfig.ActivationPolicy = "always-up";
    };
 };
@@ Line 101: / Line 137: @@
 You can use a custom DNS server if you don't want to use the one of your system. In this example, it's a server by the German privacy NGO [https://digitalcourage.de/support/zensurfreier-dns-server Digitalcourage].
-For a detailed explanation on this setup refer the [https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto original guide]. Please note that this is a experimental setup which doesn't guarantee anonymity or security in any circumstances.
+Using [[Systemd/networkd/dispatcher]] it is possible to restart the Tor daemon every time network reconnect is performaed. This avoids having to wait for Tor network timeouts and reastablishes a new connection faster.
+For a detailed explanation on this setup refer the [https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto original guide]. Please note that this is a experimental setup which doesn't guarantee anonymity or security in any circumstances.
+=== Add Desktop Icons to Firejailed Apps ===
+I wanted to use Firejail to lock down Google Chrome. It worked well, however, I wanted a pretty icon for the application.
+There are probably better ways to do this, but I accomplished it using Home Manager to symlink Chrome's actual icon set into your local icon directory.
+<syntaxhighlight lang="nix">
+## Firejail Config
+programs.firejail = {
+  enable = true;
+  wrappedBinaries = {
+    google-chrome-stable = {
+      executable = "${pkgs.google-chrome}/bin/google-chrome-stable";
+      profile = "${pkgs.firejail}/etc/firejail/google-chrome.profile";
+      desktop = "${pkgs.google-chrome}/share/applications/google-chrome.desktop";
+    };
+  };
+};
+## Home Manager Config
+home.file.".local/share/icons/hicolor/16x16/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/16x16/apps/google-chrome.png";
+home.file.".local/share/icons/hicolor/24x24/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/24x24/apps/google-chrome.png";
+home.file.".local/share/icons/hicolor/32x32/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/32x32/apps/google-chrome.png";
+home.file.".local/share/icons/hicolor/48x48/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/48x48/apps/google-chrome.png";
+home.file.".local/share/icons/hicolor/64x64/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/64x64/apps/google-chrome.png";
+home.file.".local/share/icons/hicolor/128x128/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/128x128/apps/google-chrome.png";
+home.file.".local/share/icons/hicolor/256x256/apps/google-chrome.png".source = "${pkgs.google-chrome}/share/icons/hicolor/256x256/apps/google-chrome.png";
+</syntaxhighlight>
+Another way to do this is to create a package with the firejailed application icons. This way, it can be done without home manager, and thus have the icons for all users.
+<syntaxhighlight lang="nix">
+environment.systemPackages = [
+  (
+    let
+      packages = with pkgs; [
+        electrum
+        firefox
+        mpv
+        gajim
+        tor-browser
+        vlc
+      ];
+    in
+    pkgs.runCommand "firejail-icons"
+      {
+        preferLocalBuild = true;
+        allowSubstitutes = false;
+        meta.priority = -1;
+      }
+      ''
+        mkdir -p "$out/share/icons"
+        ${lib.concatLines (map (pkg: ''
+          tar -C "${pkg}" -c share/icons -h --mode 0755 -f - | tar -C "$out" -xf -
+        '') packages)}
+        find "$out/" -type f -print0 | xargs -0 chmod 0444
+        find "$out/" -type d -print0 | xargs -0 chmod 0555
+      ''
+  )
+];
+</syntaxhighlight>
 [[Category:Applications]]
 [[Category:Security]]