#firejail — Public Fediverse posts

Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!

Hardening with Firejail, Landlock, and bubblewrap

Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

#security #linux #bwrap #landlock #firejail

Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)

Why Avoid Binaries in Early-Stage Projects?

Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail

Would it not be fair to say that #vanguards is the #fdns of #tor ?

#netblue #firejail and #mikePerry really should talk to each other if they haven't already.

lots of factors come into play. There isn't just one easy solution that works for everything online. There are levels of tor just like there are levels of dns filtering and control.

****** Why have local storage if you have a secure and accessible global commons? Because there will never be enough of one, just more fences on the prairie? Could you keep out a Tailored Access APT even if you were primarily locally owned? *****

I wonder why p2p like i2p and yggdrasil have remained less developed than tor or dns. Has anyone got the i2p config to work well with ygg or torsocks as was envisioned?

#obliviousDNS is new and interesting R&D.

#VPN has definite flaws. Often acts more like a vector than a security.

#Veilid looks promising with #IPFS and the anonymity design. But it might end up like i2p, freenet, or yggdrasil without more development. Technologies like tor's #onionshare (which requires agreed upon share time) or ricochet-refresh #gosling (#rust) are useful if you don't want upload/download from 3rd party drives and the cloud. Everyone finds a need to share hefty files from time to time unless you like passing USB sticks around.

Would it not be fair to say that #vanguards is the #fdns of #tor ?

#netblue #firejail and #mikePerry really should talk to each other if they haven't already.

lots of factors come into play. There isn't just one easy solution that works for everything online. There are levels of tor just like there are levels of dns filtering and control.

****** Why have local storage if you have a secure and accessible global commons? Because there will never be enough of one, just more fences on the prairie? Could you keep out a Tailored Access APT even if you were primarily locally owned? *****

I wonder why p2p like i2p and yggdrasil have remained less developed than tor or dns. Has anyone got the i2p config to work well with ygg or torsocks as was envisioned?

#obliviousDNS is new and interesting R&D.

#VPN has definite flaws. Often acts more like a vector than a security.

#Veilid looks promising with #IPFS and the anonymity design. But it might end up like i2p, freenet, or yggdrasil without more development. Technologies like tor's #onionshare (which requires agreed upon share time) or ricochet-refresh #gosling (#rust) are useful if you don't want upload/download from 3rd party drives and the cloud. Everyone finds a need to share hefty files from time to time unless you like passing USB sticks around.

#firejail is a #suid... Oh! I stopped reading here ;)

From the Linux Update newsletter: @hgesser shows you how to monitor and isolate unknown applications to safeguard your system with the strace analysis tool and the Firejail sandbox https://www.linux-magazine.com/Issues/2024/281/strace-and-Firejail
#Linux #applications #strace #Firejail #applications #OpenSource