#firejail — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #firejail, aggregated by home.social.
-
And as security measures, when it decides to run shell commands, those are sandboxed in #firejail with optionally enabled networking on project setup. It also supports skills (progressive disclosure) have basic filesystem and file editing tools, whiteboard (scratchpad) memory and agentic tasks running in separate context subagent to limit hallucinations.
-
And as security measures, when it decides to run shell commands, those are sandboxed in #firejail with optionally enabled networking on project setup. It also supports skills (progressive disclosure) have basic filesystem and file editing tools, whiteboard (scratchpad) memory and agentic tasks running in separate context subagent to limit hallucinations.
-
And as security measures, when it decides to run shell commands, those are sandboxed in #firejail with optionally enabled networking on project setup. It also supports skills (progressive disclosure) have basic filesystem and file editing tools, whiteboard (scratchpad) memory and agentic tasks running in separate context subagent to limit hallucinations.
-
And as security measures, when it decides to run shell commands, those are sandboxed in #firejail with optionally enabled networking on project setup. It also supports skills (progressive disclosure) have basic filesystem and file editing tools, whiteboard (scratchpad) memory and agentic tasks running in separate context subagent to limit hallucinations.
-
Ein neuer Forumbeitrag: https://linux-nerds.org/topic/1853/claude-code-einsperren #linux #firejail
-
Ein neuer Forumbeitrag: https://linux-nerds.org/topic/1853/claude-code-einsperren #linux #firejail
-
Ein neuer Forumbeitrag: https://linux-nerds.org/topic/1853/claude-code-einsperren #linux #firejail
-
Why I use #Firejail in #Linux:
#cybersecurity #sandbox
Protect Your System: Run Your Browser In Firejail
https://www.dotlinux.net/blog/protect-your-system-run-your-browser-in-firejail/ -
Why I use #Firejail in #Linux:
#cybersecurity #sandbox
Protect Your System: Run Your Browser In Firejail
https://www.dotlinux.net/blog/protect-your-system-run-your-browser-in-firejail/ -
Why I use #Firejail in #Linux:
#cybersecurity #sandbox
Protect Your System: Run Your Browser In Firejail
https://www.dotlinux.net/blog/protect-your-system-run-your-browser-in-firejail/ -
Why I use #Firejail in #Linux:
#cybersecurity #sandbox
Protect Your System: Run Your Browser In Firejail
https://www.dotlinux.net/blog/protect-your-system-run-your-browser-in-firejail/ -
Why I use #Firejail in #Linux:
#cybersecurity #sandbox
Protect Your System: Run Your Browser In Firejail
https://www.dotlinux.net/blog/protect-your-system-run-your-browser-in-firejail/ -
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
-
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
-
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
-
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
-
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
-
Why Avoid Binaries in Early-Stage Projects?
Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail
-
Why Avoid Binaries in Early-Stage Projects?
Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail
-
Why Avoid Binaries in Early-Stage Projects?
Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail
-
Why Avoid Binaries in Early-Stage Projects?
Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail
-
oniux!
http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/introducing-oniux-tor-isolation-using-linux-namespaces/
hexchat and curl workonionmasq
https://gitlab.torproject.org/tpo/core/onionmasq
Experimentation Tips --->
Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.
-
oniux!
http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/introducing-oniux-tor-isolation-using-linux-namespaces/
hexchat and curl workonionmasq
https://gitlab.torproject.org/tpo/core/onionmasq
Experimentation Tips --->
Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.
-
oniux!
http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/introducing-oniux-tor-isolation-using-linux-namespaces/
hexchat and curl workonionmasq
https://gitlab.torproject.org/tpo/core/onionmasq
Experimentation Tips --->
Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.
-
oniux!
http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/introducing-oniux-tor-isolation-using-linux-namespaces/
hexchat and curl workonionmasq
https://gitlab.torproject.org/tpo/core/onionmasq
Experimentation Tips --->
Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.
-
oniux!
http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/introducing-oniux-tor-isolation-using-linux-namespaces/
hexchat and curl workonionmasq
https://gitlab.torproject.org/tpo/core/onionmasq
Experimentation Tips --->
Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.
-
@libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.
-
@libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.
-
@libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.
-
@libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.
-
@libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.
-
@LibreQoS @mtaht
#TrafficShaping and #bandwidth
in #tor
https://tpo.pages.torproject.net/web/support/ga/relay-operators/bandwidth-shaping/
in #firejail
https://www.pcsuggest.com/bandwidth-traffic-shaping-in-linux-with-firejail/
But why would you want to mess with QoS otherwise unless just to annoy your kid with a cellphone or home connection that is too slow to be useful? -
@LibreQoS @mtaht
#TrafficShaping and #bandwidth
in #tor
https://tpo.pages.torproject.net/web/support/ga/relay-operators/bandwidth-shaping/
in #firejail
https://www.pcsuggest.com/bandwidth-traffic-shaping-in-linux-with-firejail/
But why would you want to mess with QoS otherwise unless just to annoy your kid with a cellphone or home connection that is too slow to be useful? -
That aside, this #firejail definitely seems to be the way forward. I have a whole other #Firefox profile running in its own little filesystem with its whole own configuration which is only going to be used for a Google login I use for basic-bitch email and YouTube. And no Google login shall ever touch my main/local Firefox which shall only log into my own mail/mastodon/etc services. (Though I'm tempted to jail that too now lol.. thow'em all in gaol!!)
I see Firefox defaults to Google search (fixed, now DDG) and has a bunch of sponsored shit on the "home" page (turned off recommended/sponsored stories and shortcuts)
"Enhancer for YouTube" successfully stops autoplaying in new tabs, background tabs, and also even with internal YouTube clicks - this alone is a big win from moving away from Chrome. Oooo... it has a "hide shorts" option, it works, they're all gone, hurrah!
-
That aside, this #firejail definitely seems to be the way forward. I have a whole other #Firefox profile running in its own little filesystem with its whole own configuration which is only going to be used for a Google login I use for basic-bitch email and YouTube. And no Google login shall ever touch my main/local Firefox which shall only log into my own mail/mastodon/etc services. (Though I'm tempted to jail that too now lol.. thow'em all in gaol!!)
I see Firefox defaults to Google search (fixed, now DDG) and has a bunch of sponsored shit on the "home" page (turned off recommended/sponsored stories and shortcuts)
"Enhancer for YouTube" successfully stops autoplaying in new tabs, background tabs, and also even with internal YouTube clicks - this alone is a big win from moving away from Chrome. Oooo... it has a "hide shorts" option, it works, they're all gone, hurrah!
-
That aside, this #firejail definitely seems to be the way forward. I have a whole other #Firefox profile running in its own little filesystem with its whole own configuration which is only going to be used for a Google login I use for basic-bitch email and YouTube. And no Google login shall ever touch my main/local Firefox which shall only log into my own mail/mastodon/etc services. (Though I'm tempted to jail that too now lol.. thow'em all in gaol!!)
I see Firefox defaults to Google search (fixed, now DDG) and has a bunch of sponsored shit on the "home" page (turned off recommended/sponsored stories and shortcuts)
"Enhancer for YouTube" successfully stops autoplaying in new tabs, background tabs, and also even with internal YouTube clicks - this alone is a big win from moving away from Chrome. Oooo... it has a "hide shorts" option, it works, they're all gone, hurrah!
-
That aside, this #firejail definitely seems to be the way forward. I have a whole other #Firefox profile running in its own little filesystem with its whole own configuration which is only going to be used for a Google login I use for basic-bitch email and YouTube. And no Google login shall ever touch my main/local Firefox which shall only log into my own mail/mastodon/etc services. (Though I'm tempted to jail that too now lol.. thow'em all in gaol!!)
I see Firefox defaults to Google search (fixed, now DDG) and has a bunch of sponsored shit on the "home" page (turned off recommended/sponsored stories and shortcuts)
"Enhancer for YouTube" successfully stops autoplaying in new tabs, background tabs, and also even with internal YouTube clicks - this alone is a big win from moving away from Chrome. Oooo... it has a "hide shorts" option, it works, they're all gone, hurrah!