30
submitted 11 months ago by Pantherina@feddit.de to c/linux@lemmy.ml

Basically

  • Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though
  • The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)
  • the root password can be extracted veeery easily, especially when entering it through a terminal. Windows "okay" button might actually be more secure!
  • X11 is insecure, okay we know that
  • the kernel is very bloated and everything in there has all the permissions, which is not needed
  • Kernel bugs are often not fixed quickly or at all
  • Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE

I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.

On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.

This would mean user namespaces need to be enabled again, which I can't seem to make work with

sudo sysctl -w kernel.unprivileged_users_clone=1

But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?

I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):

https://github.com/qoijjj/hardened-images

The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.

Maybe nix is a solution? Would this be a good idea?

Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. Here is a spec file from rusty-snake.

What do you know about this?

you are viewing a single comment's thread
view the rest of the comments
[-] ReversalHatchery@beehaw.org 12 points 11 months ago

"This connection is untrusted" "SSL_ERROR_BAD_CERT_DOMAIN"

The irony.

[-] Pantherina@feddit.de 1 points 11 months ago

I mean the origin is still legit, so there is no real problem with it, right?

One cannot just register a site as github.com

[-] Strit@lemmy.linuxuserspace.show 2 points 11 months ago

It uses the github cert, but that is not set to use the github.io subpages that start with www.

load more comments (1 replies)
load more comments (1 replies)
this post was submitted on 24 Nov 2023
30 points (84.1% liked)

Linux

47940 readers
1153 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS