I watched the video. Yes, if your sandbox config is weak then it will allow sandbox escapes. I agree the should default should be a secure sandbox. Bubblewrap offers the opportunity to shoot yourself in the foot. Look into the others tools I mentioned if you want to see different implementations. Sydbox is the one I think is the most interesting.
N.E.P.T.R
I’m the Never Ending Pie Throwing Robot, aka NEPTR.
Linux enthusiast, programmer, and privacy advocate. I’m nearly done with an IT Security degree.
TL;DR I am a nerd.
- 0 Posts
- 11 Comments
Joined 3 months ago
Cake day: November 20th, 2024
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
The only way I know to harden Linux Mint is using the Debian edition. Using LMDE, you can (unofficial) use Kicksecure to harden the base system. This isnt a great solution since the Linux Mint software is untested with Kicksecure and may/will reduce the security of the overall hardening.
Hardening is not useless, but it doesnt fix the architectural issues with Linux and its outdated threat model. That article says the same thing. It isnt an all-or-nothing situation, hardening still improves Linux security. Projects exist like SELinux, Bubblewrap, Crablock, Sydbox, and Landlock. Efforts to harden GNU/Linux have been made, like Kicksecure (Debian) and Secureblue (Fedora Silverblue), which protect against many threat vectors, but not perfect obviously.
0·12 days agoThat is generally called the principle of least privilege.
Fitejail is a large SETUID binary which weakens security and can aid in privilege escalation. Use Bubblewrap (preinstalled on most Linux systems cus of Flatpak) which runs unpriveleged. Bubblejail is a program that makes it easier to make sandboxes profiles for apps.
Also seems to have way too many permissions. Maybe to work around some problem "flatpak"ing virt-manager?
Is there now a flatpak for virt-manager?
Lacks many features atm, eg VoIP, matrix call, threads, etc. Still very promising and I like that it is written in Rust.
Aurora is a downstream Kinoite distro by the Universal Blue project. It is tweaked to be a bit more user friendly and has a lot of tweaks and changes. I recommend anyone try it out.
uBlock Medium requires some unbreaking of websites, so i would avoid it on this laptop. Ungoogled Chromium could be a good replacement for chrome.
You can layer packages using
rpm-ostree install $pkgname. It uses fedora repos. You can also (preferably) use a distrobox or toolbox container with a non-atomic distro and then install the desired package. Generally better to avoid layering packages but it works fine in my experience.