Qubes OS: A reasonably secure operating system
www.qubes-os.org
Qubes is a security-oriented, free and open-source operating system for personal computers that allows you to securely compartmentalize your digital life.

With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?

Flatpacking is great but not all applications support it.

Is it too much of a hassle?

  • Joe@discuss.tchncs.de
    91·
    2 days ago

    A couple of tricks I use:

    • an apparmor profile tied to a shell script that wraps other commands … it restricts read & write access to a scratch directory … perfect for builds or one off scripts.

    • iptables rules & cgroups to restrict network access… I have a setuid wrapper that drops privs again…

    • bwrap and mounting only what’s necessary… quick to get going.

    • custom landlock wrapper, similar to apparmor but allows for quick userspace wrapping.

    They can be combined too.

    • FineCoatMummy@sh.itjust.worksEnglish
      4·
      2 days ago

      +1. May I add a few other help gizmos to that list?

      • firejail. Super easy one off sandboxing. I have a bunch of aliases like “firejail --some-params – some-command-i-wanna-sandbox”.
      • lxc. Middle weight sandboxing. Easy to get a console into it and have a whole OS env, which is nice sometimes. Much lighter than a KVM sandbox. But not quite as secure since it uses the same kernel. Super great to control network config for an app or group of similar apps. And easy to put a several related things into it that you wanna use all together. You can even use a separate VPN in each one.