Basically
- Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though
- The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)
- the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!
- X11 is insecure, okay we know that
- the kernel is very bloated and everything in there has all the permissions, which is not needed
- Kernel bugs are often not fixed quickly or at all
- Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE
I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.
On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.
This would mean user namespaces need to be enabled again, which I can’t seem to make work with
sudo sysctl -w kernel.unprivileged_users_clone=1
But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?
I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):
https://github.com/qoijjj/hardened-images
The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.
Maybe nix is a solution? Would this be a good idea?
Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. Here is a spec file from rusty-snake.
What do you know about this?
I’m not sure if at this point the browser verifies whether the cert is even legit for github.com