Recommend security-first basic Linux Apps!
(github.com)
from Pantherina@feddit.de to linux@lemmy.ml on 29 Nov 2023 23:42
https://feddit.de/post/6195130
from Pantherina@feddit.de to linux@lemmy.ml on 29 Nov 2023 23:42
https://feddit.de/post/6195130
As part of the effort of making a “Chromebook-like” secure, autoupdating, cloud-native, “unbreakable” (but still free and privacy-friendly) Distro, I would like some of your recommendations on especially secure software, that could replace common ones like File managers, Archive Managers, PDF reader, Image viewer etc.
I am thinking of Loupe, GNOMEs new image viewer written in Rust, that opens SVGs in a sandbox to avoid issues here.
Memory safety, resonable simplicity, updated code, these should be requirements.
Any other recommendations? Thanks guys!
Btw Flatpaks are working now! Come and test Secureblue!
threaded - newest
firejailufwAnd
dockerif you are paranoid. (You can completely shut off the network of specific commands – can’t get any better (and safer) than that!).I love ufw… So straightforward and easy to use.
It’s a pity that docker doesn’t work with it well…
Doesn’t podman solve that issue?
Yup securitywise I would also say Podman > Docker
Firejail has some big security flaws. There us bubblejail, which uses the way better bubblewrap also used for Flatpaks.
But the Bubblewrap and Flatpak Situation is quite complex. Flatpaks, as well as Podman containers, require user namespaces. Through these namespaces programs can get privileged access to system components, which is why secureblue now has
bubblewrap-suidinstalled.bubblejail maybe uses that binary already, or it needs to be patched too.
.
I am no expert but it is possible. So the namespace has to be set by root and then used
I keep seeing firejail being recommended though, were the security flaws still not fixed?
To add to this systemd can do everything they can. You can isolate network, do fire-walling, and sandboxing pretty easily. Any OCI container can be used too if you don’t want to install something too.