home.social

#firejail — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #firejail, aggregated by home.social.

  1. And as security measures, when it decides to run shell commands, those are sandboxed in #firejail with optionally enabled networking on project setup. It also supports skills (progressive disclosure) have basic filesystem and file editing tools, whiteboard (scratchpad) memory and agentic tasks running in separate context subagent to limit hallucinations.

  2. And as security measures, when it decides to run shell commands, those are sandboxed in #firejail with optionally enabled networking on project setup. It also supports skills (progressive disclosure) have basic filesystem and file editing tools, whiteboard (scratchpad) memory and agentic tasks running in separate context subagent to limit hallucinations.

  3. And as security measures, when it decides to run shell commands, those are sandboxed in #firejail with optionally enabled networking on project setup. It also supports skills (progressive disclosure) have basic filesystem and file editing tools, whiteboard (scratchpad) memory and agentic tasks running in separate context subagent to limit hallucinations.

  4. And as security measures, when it decides to run shell commands, those are sandboxed in #firejail with optionally enabled networking on project setup. It also supports skills (progressive disclosure) have basic filesystem and file editing tools, whiteboard (scratchpad) memory and agentic tasks running in separate context subagent to limit hallucinations.

  5. Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!

  6. Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!

  7. Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!

  8. Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!

  9. Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!

  10. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  11. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  12. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  13. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  14. Hardening with Firejail, Landlock, and bubblewrap

    Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

    First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

    What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

    Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

    The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

    Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

    I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

    #security #linux #bwrap #landlock #firejail

    Originally published [on my blog](advancedweb.hu/shorts/hardenin)

  15. is good. I always thought of it as a filesystem sandbox, but it's a network tool too. Just used it to create a network jail for , forcing it to use only my Wi-Fi.

  16. #firejail is good. I always thought of it as a filesystem sandbox, but it's a network tool too. Just used it to create a network jail for #Steam, forcing it to use only my Wi-Fi.

  17. #firejail is good. I always thought of it as a filesystem sandbox, but it's a network tool too. Just used it to create a network jail for #Steam, forcing it to use only my Wi-Fi.

  18. I switched from to on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in , so I created a simple mode using SMIE:

    github.com/grafov/firejail-mode

    Because GNU/Emacs should have a mode for any task, you know!

  19. I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:

    github.com/grafov/firejail-mode

    Because GNU/Emacs should have a mode for any task, you know! #butterfly

  20. I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:

    github.com/grafov/firejail-mode

    Because GNU/Emacs should have a mode for any task, you know! #butterfly

  21. I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:

    github.com/grafov/firejail-mode

    Because GNU/Emacs should have a mode for any task, you know! #butterfly

  22. I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:

    github.com/grafov/firejail-mode

    Because GNU/Emacs should have a mode for any task, you know! #butterfly

  23. Why Avoid Binaries in Early-Stage Projects?

    Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail

  24. Why Avoid Binaries in Early-Stage Projects?

    Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail

  25. Why Avoid Binaries in Early-Stage Projects?

    Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail

  26. Why Avoid Binaries in Early-Stage Projects?

    Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail

  27. oniux!
    pzhdfe7jraknpj2qgu5cz2u3i4deuy
    hexchat and curl work

    onionmasq
    gitlab.torproject.org/tpo/core
    Experimentation Tips --->
    Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.

    Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.

    #Rust #TorProject #Android #App

  28. oniux!
    pzhdfe7jraknpj2qgu5cz2u3i4deuy
    hexchat and curl work

    onionmasq
    gitlab.torproject.org/tpo/core
    Experimentation Tips --->
    Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.

    Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.

    #Rust #TorProject #Android #App

  29. oniux!
    pzhdfe7jraknpj2qgu5cz2u3i4deuy
    hexchat and curl work

    onionmasq
    gitlab.torproject.org/tpo/core
    Experimentation Tips --->
    Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.

    Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.

    #Rust #TorProject #Android #App

  30. oniux!
    pzhdfe7jraknpj2qgu5cz2u3i4deuy
    hexchat and curl work

    onionmasq
    gitlab.torproject.org/tpo/core
    Experimentation Tips --->
    Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.

    Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.

    #Rust #TorProject #Android #App

  31. oniux!
    pzhdfe7jraknpj2qgu5cz2u3i4deuy
    hexchat and curl work

    onionmasq
    gitlab.torproject.org/tpo/core
    Experimentation Tips --->
    Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.

    Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.

    #Rust #TorProject #Android #App

  32. @libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.

    #LibreOffice #firejail

  33. @libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.

    #LibreOffice #firejail

  34. @libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.

    #LibreOffice #firejail

  35. @libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.

    #LibreOffice #firejail

  36. @libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.

    #LibreOffice #firejail

  37. That aside, this #firejail definitely seems to be the way forward. I have a whole other #Firefox profile running in its own little filesystem with its whole own configuration which is only going to be used for a Google login I use for basic-bitch email and YouTube. And no Google login shall ever touch my main/local Firefox which shall only log into my own mail/mastodon/etc services. (Though I'm tempted to jail that too now lol.. thow'em all in gaol!!)

    I see Firefox defaults to Google search (fixed, now DDG) and has a bunch of sponsored shit on the "home" page (turned off recommended/sponsored stories and shortcuts)

    "Enhancer for YouTube" successfully stops autoplaying in new tabs, background tabs, and also even with internal YouTube clicks - this alone is a big win from moving away from Chrome. Oooo... it has a "hide shorts" option, it works, they're all gone, hurrah!

  38. That aside, this #firejail definitely seems to be the way forward. I have a whole other #Firefox profile running in its own little filesystem with its whole own configuration which is only going to be used for a Google login I use for basic-bitch email and YouTube. And no Google login shall ever touch my main/local Firefox which shall only log into my own mail/mastodon/etc services. (Though I'm tempted to jail that too now lol.. thow'em all in gaol!!)

    I see Firefox defaults to Google search (fixed, now DDG) and has a bunch of sponsored shit on the "home" page (turned off recommended/sponsored stories and shortcuts)

    "Enhancer for YouTube" successfully stops autoplaying in new tabs, background tabs, and also even with internal YouTube clicks - this alone is a big win from moving away from Chrome. Oooo... it has a "hide shorts" option, it works, they're all gone, hurrah!

  39. That aside, this #firejail definitely seems to be the way forward. I have a whole other #Firefox profile running in its own little filesystem with its whole own configuration which is only going to be used for a Google login I use for basic-bitch email and YouTube. And no Google login shall ever touch my main/local Firefox which shall only log into my own mail/mastodon/etc services. (Though I'm tempted to jail that too now lol.. thow'em all in gaol!!)

    I see Firefox defaults to Google search (fixed, now DDG) and has a bunch of sponsored shit on the "home" page (turned off recommended/sponsored stories and shortcuts)

    "Enhancer for YouTube" successfully stops autoplaying in new tabs, background tabs, and also even with internal YouTube clicks - this alone is a big win from moving away from Chrome. Oooo... it has a "hide shorts" option, it works, they're all gone, hurrah!

  40. That aside, this #firejail definitely seems to be the way forward. I have a whole other #Firefox profile running in its own little filesystem with its whole own configuration which is only going to be used for a Google login I use for basic-bitch email and YouTube. And no Google login shall ever touch my main/local Firefox which shall only log into my own mail/mastodon/etc services. (Though I'm tempted to jail that too now lol.. thow'em all in gaol!!)

    I see Firefox defaults to Google search (fixed, now DDG) and has a bunch of sponsored shit on the "home" page (turned off recommended/sponsored stories and shortcuts)

    "Enhancer for YouTube" successfully stops autoplaying in new tabs, background tabs, and also even with internal YouTube clicks - this alone is a big win from moving away from Chrome. Oooo... it has a "hide shorts" option, it works, they're all gone, hurrah!