Sandboxing on Debian

[O'Niel]

Hi.

I'm about to install Debian, after doing some research I saw it was the best.
But I still need to know one thing!

Is there a kind of technology which does sandboxing on Debian?
I want something like QubesOS, but with a smaller 'impact' on my system.

Example:
I have some documents who need to stay secret. But I also need to be able to use the internet.
So I want two sandboxes.
One to work on the project and that sandbox shouldn't have internet access; nor should other processes on my system be able to view or modifier them.
And a second sandbox to use Firefox. So that if my browser gets exploited or I download malware my system isn't compromised and my special docs in the other sandbox not for sure.

I already looked it up and found things like SELinux, but that's only for applications. Not for files.

Thanks!

[Head_on_a_Stick]

For Firefox:

https://packages.debian.org/jessie-backports/firejail

For your "project" system, use an encrypted filesystem tree as a container.

[O'Niel]

For Firefox:

https://packages.debian.org/jessie-backports/firejail

For your "project" system, use an encrypted filesystem tree as a container.

Thanks for your reply.
But when I decrypt that filesystem to edit the files myself,
would than malware or whatever not be able to read those files since they're decrypted?

Or when someone who controls my PC with malware can keylog the key for the encrypted files?
I'd actually need an encrypted sandbox filesystem.

Edit:
What about Mbox?
https://pdos.csail.mit.edu/archive/mbox/

[Head_on_a_Stick]

But when I decrypt that filesystem to edit the files myself,
would than malware or whatever not be able to read those files since they're decrypted?

Only if the malware has the privileges needed to view the non-encrypted filesystem.

Convention would place containers under /var/lib/machines and this is *not* readable by normal users

[O'Niel]

Okay thanks a lot!
But that filesystem tree, should that really be a separated filesystem, or just another tree (directory) in Dolphin which I'll encrypt.
And is there a possibility to make Firefox run in Firejail by default?

[Head_on_a_Stick]

But that filesystem tree, should that really be a separated filesystem, or just another tree (directory) in Dolphin which I'll encrypt.

I'm not sure, to be honest, I was just floating some suggestions, that's all

is there a possibility to make Firefox run in Firejail by default?

I use https://forums.bunsenlabs.org/viewtopic ... 355#p42355

[dasein]

But when I decrypt that filesystem to edit the files myself,
would than malware or whatever not be able to read those files since they're decrypted?

Or when someone who controls my PC with malware can keylog the key for the encrypted files?
I'd actually need an encrypted sandbox filesystem.

Your hypotheticals aren't nearly paranoid enough...

"What if" your HDD is compromised at the firmware level?

"What if" your CPU is undetectably compromised?

"What if" your USB ports are rigged with a built-in keylogger?

None of these is fantasy. Every single one is an existing, credible threat.

[O'Niel]

And thanks for the Firejail suggestion.
But is it really secure? I tried to keylog myself when using Firefox with Firejail and it worked.

[Head_on_a_Stick]

But is it really secure?

Not really, the X server itself is fundamentally insecure; as is Wayland.

Also, what dasein said

[O'Niel]

But it will protect against malware coming from the browser?

[Head_on_a_Stick]

Your question is far too vague

Perhaps spend some time reading through http://www.cvedetails.com/product/3264/ ... dor_id=452?

EDIT: and https://firejail.wordpress.com/

[GarryRicketson]

The best way to avoid getting malware via your browser is to not visit the sites that
distribute the mal ware,... Do you need or want intructions on how to do that ?
There is a lot of information on that if you search,...most of them are known and listed.
Data that needs to be really secure, and is important to keep "secret" or secure, should not be kept on a cumputer that goes on line,....especially one being used to browse the sites that distribute malware.

Example:
I have some documents who need to stay secret.

That is just plain foolish to use the same computer , to browse porn-sites and other crap sites known to distribute male -ware and garbage.
I do not understand why you would want to download mal ware, and that kind of garbage, unless you are some kind of pervert , or running
some sort of "honey pot", and need to down load data to test it for mal-ware, etc.

You could still connect to interenet on the separate computer, if and when need be, just don't use it for downloading your porn, and garbage, mal-ware etc.
This is redicules, I don't know why I am even responding.. Good night,

[O'Niel]

Mdr you almost killed me.
It's not that I'll be downloading malware on purpose.

But advertisements, drive-by exploits, DNS-spoofing to malicious websites,... can all get you malware while you're browsing at MF google.com.
So 'not visiting websites who distribute malware' is not really a valid advice, because you can't know which do and which not.

I'm only asking for something like SELinux sandbox (on which I can't find anything), or Firejail, and something like that for a filesystem.

@HeadOnAStick:
Thanks for the links.