[POLL] Let's all play in the sandbox!

[CynicalDebian]

Personally I prefer Firejail, due to its simplicity and the extensive amount of profiles written for it. Yet I don't write custom profiles for software not already profiled, and I don't use it on my server.

I used to use Flatpak, but then I ran into conflicts with it and my Nvidia Driver from Nvidias repo, this was when I was more of a n00b and it was entirely my fault. Now I swear off Flatpak because I don't want to be managing two packaging schemes on my desktop, and I never need to obtain newer software really.

I also try to use web clients for any Electron stuff like Discord or Spotify, but often times these companies gimp the web-client versions of their software so it's definitely a compromise, but in a way this ensures sandboxing through both the web browser and firejail.

Often times I feel like my sandboxing setup is inadequate, and I have seen many misbehaving programs only stopped by the *NIX file permissions walls (Steam trys to write to /boot/efi!), something like this http://jorisvr.nl/article/steam-firejail-debian is something I don't do I just run steam straight from the repos inside of my firejail.

This post is a chance for you to brag about how l33t and secure your setup is, and maybe discuss some of the intricacies of sand-boxing. Or perhaps, the fact you trust Debian completely and never sandbox anything.

Yes,, Apparmor is a default, but only pick it if you have gone out of your way to obtain additional profiles, and you may select multiple options!

[pizza-rat]

Firejail's generally preferred for me because I've found it to be more reliable. In particular private homes and net=none are great.

Steam is good on flatpak, but when I tried both Citra and Lutris through flatpak, they had access to my home directory and trying to override that didn't work, for some reason. I also haven't really figured out if there's an easy way to read what a flatpak install actually does, ala Arch PKGBUILDs or Gentoo ebuilds, and I'm not sure if flathub themselves does any kind of auditing to check for malware or not. I've looked for answers on the latter before, but they felt vague and open to interpretation at best.

Whenever I hear people mention malware on Linux, the most common concern I hear is them editing something like home directory dotfiles to automatically start a keylogger, so I'd really rather not give home access to anything that either isn't from the official repos or faces the internet just in case. Then there's the keylogging itself which apparently X11 is more susceptible to than Wayland, but I still have a couple things that don't work on that, and I'd have to forego all of my favorite WMs and DEs to even use it, since last I checked, only tiling WMs have made much progress on Wayland, and I'm purely a stacking man. And I can't stand KDE or Gnome.

[CynicalDebian]

Whenever I hear people mention malware on Linux, the most common concern I hear is them editing something like home directory dotfiles to automatically start a keylogger, so I'd really rather not give home access to anything that either isn't from the official repos or faces the internet just in case. Then there's the keylogging itself which apparently X11 is more susceptible to than Wayland, but I still have a couple things that don't work on that, and I'd have to forego all of my favorite WMs and DEs to even use it, since last I checked, only tiling WMs have made much progress on Wayland, and I'm purely a stacking man. And I can't stand KDE or Gnome.

Have you looked into nested X sessions using something like Xpra? https://firejail.wordpress.com/document ... x11-guide/

Keylogging on X is something I think is overblown, yes it's a trade in security that programs have access to input devices, but in a way I don't expect my display environment to be my last line of defense against a keylogger. I think a lot of Wayland/Flatpak security models and hyper aggressive sandboxization is people wanting to be able to run proprietary untrusted software safely and easily, which is an impossibility, I'd rather try to use free software that is less likely to contain a keylogger or engage in negative behavior on my system, of course I would theoretically want all software to be run in a sensible sandbox.

And there is definitely a usability tradeoff with Wayland, as in entire concepts of programs are impossible because of their security model.

Something I've noticed is that it definitely seems that Apparmor has fallen out favor and even after all those time lots of packages don't ship an Apparmor profile with themselves by default, yet I think it is probably the best way to have good user friendly sandboxing out of the box.

[pizza-rat]

Have you looked into nested X sessions using something like Xpra? https://firejail.wordpress.com/document ... x11-guide/

Keylogging on X is something I think is overblown, yes it's a trade in security that programs have access to input devices, but in a way I don't expect my display environment to be my last line of defense against a keylogger. I think a lot of Wayland/Flatpak security models and hyper aggressive sandboxization is people wanting to be able to run proprietary untrusted software safely and easily, which is an impossibility, I'd rather try to use free software that is less likely to contain a keylogger or engage in negative behavior on my system, of course I would theoretically want all software to be run in a sensible sandbox.

And there is definitely a usability tradeoff with Wayland, as in entire concepts of programs are impossible because of their security model.

Something I've noticed is that it definitely seems that Apparmor has fallen out favor and even after all those time lots of packages don't ship an Apparmor profile with themselves by default, yet I think it is probably the best way to have good user friendly sandboxing out of the box.

Hmm, never looked into that. Or I may have tried it at some point and run into an error, I'll give it another shot sometime.

And yeah, there's definitely an appeal to a little extra security in Wayland, but I have to wonder if the point at which it's relevant is already too late. Plus, with Wayland being newer, who knows what other vulnerabilities might pop up that don't apply to X (though I get that the idea was supposed to be something like less code = less potential vulnerabilities). The only problems I have with Wayland itself are problems related to it being new, which to me is mainly issues of support for my hardware (NVIDIA = I currently have no redshift-like functionality on Wayland, and last I checked Krita was non-functional with hardware acceleration) and general refinement. Every DE or WM I've tried was buggy or missing features. I also don't want to leave all my favorite WMs behind (icewm, openbox, jwm, sawbox, fvwm), and it sounds like it'll be far more work for people to make new WMs (or port old ones) since they have to make a compositor as well. On the other hand: when Wayland was working, it was the smoothest, most tear-free experience I've had. On X I often have to resort to Picom for vsync, and it's always giving me some problem or another.

I haven't looked into Apparmor at all, perhaps I should.

[dlu2021]

I don't use any sand boxing other than Apparmor, but only because it is installed by default.

I have very basic needs, so everything that I need is generally in repos.

I will consider something (tarball or deb) from an external source if they are recommended either by Debian, like Firefox for example (but I currently run ESR from the repo), or from an established forum member.

[MiracleDinner]

I use flatpak basically just for a bunch of emulators (including Dolphin, Citra, Yuzu, and RetroArch) that don't have a more convenient and reliable solution, even if compiling from source might be more efficient in terms of disk space.

I use chroot and VMs to do things like get a list of all packages that would be installed with debootstrap + "apt install task-[DE of choice]-desktop" so that I can get rid of all bloat and start from a "blank state." Or sometimes because I feel like playing with the live ISOs of older versions of Debian for instance.

[Uptorn]

Apparmor since before it became setup by default. I install and enable the extra profiles too. The only thing is that the app armor profiler for making your own profiles is very intuitive and very difficult to use. And I don't consider myself to be some nix newbie either. Is there anybody who actually consistently crafts their own apparmor profiles?

[BBQdave]

Apparmor, default for Debian. And SELinux, default for Fedora Linux.

I have checked out snaps and flatpaks, but I do not fully understand the advantage of sandbox applications over packages from trusted repos such as Debian, Fedora, Ubuntu. I too, want to manage only one packaging scheme on my desktop.

My use is a workstation (vanilla Debian-Gnome) with GNU Image Manipulation Program (GIMP) added and Google Chrome added.
I can feel the eye rolls and security sighs with the addition of Google Chrome But I use Google Chrome's suite of applications with different organizations, one being a home school group.

To my understanding, Google Chrome has not weakened my security with Debian.

[CynicalDebian]

I appreciate all your responses, as I expected most people tend to avoid manual sandboxing, it can definitely be a pain!

I use flatpak basically just for a bunch of emulators (including Dolphin, Citra, Yuzu, and RetroArch) that don't have a more convenient and reliable solution, even if compiling from source might be more efficient in terms of disk space.

I use chroot and VMs to do things like get a list of all packages that would be installed with debootstrap + "apt install task-[DE of choice]-desktop" so that I can get rid of all bloat and start from a "blank state." Or sometimes because I feel like playing with the live ISOs of older versions of Debian for instance.

Seems sane to me, I don't mess around with emulators too much, usually if I am doing anything like that it is just for fun and after building from source it's getting rmed anyways. I really should be running all propietary stuff like that in a firejail though.

Apparmor since before it became setup by default. I install and enable the extra profiles too. The only thing is that the app armor profiler for making your own profiles is very intuitive and very difficult to use. And I don't consider myself to be some nix newbie either. Is there anybody who actually consistently crafts their own apparmor profiles?

I think you meant to say "unintutitve" but yes, rolling your own apparmor profiles requires some skill and usually deep knowledge about the program you are trying to sandbox. I am sure some turbo nerd out there can do it, ideally I think most apps in the repo would ship with an apparmor profile and perhaps apt would give you info on the profile once installed. Maybe we could have a GUI frontend for managing Apparmor. Instead I think we will end up bowing to our flatpak overlords. For the most part though, sandboxing seems to be mainly just a workaround the reality that most proprietary software is poorly written and unsafe.

I gave this example before but I will reiterate... Steam written by Valve supposedly "friends" of Linux tries to write to /boot/efi and their client is crappy chromium anyways. Always hilarious that supposedly "paying customers" who are supposed to be recieving a premium service are mistreated like this.

My use is a workstation (vanilla Debian-Gnome) with GNU Image Manipulation Program (GIMP) added and Google Chrome added.
I can feel the eye rolls and security sighs with the addition of Google Chrome :D But I use Google Chrome's suite of applications with different organizations, one being a home school group.

To my understanding, Google Chrome has not weakened my security with Debian.

I wouldn't say there is any added security risk from using google chrome, outside of the usual Untrusted Debs issues, and my understanding is Google Chrome will update itself outside of the package manager. I wonder why you do not use Chromium, since I believe it integrates well with google suite?

The majority of complaints would be with the privacy issues associated with Googleware and their borg like takeover the internet. It is definitely hard to beat their convenience though!

[pizza-rat]

I gave this example before but I will reiterate... Steam written by Valve supposedly "friends" of Linux tries to write to /boot/efi and their client is crappy chromium anyways. Always hilarious that supposedly "paying customers" who are supposed to be recieving a premium service are mistreated like this.

Steam's client is absolute garbage. Whenever Steam is the only/best place to buy something I'm interested in, afterwards I generally check to see if it's DRM free/grab a steam emulator/do whatever else might be necessary to separate it from Steam and play it through Lutris or native wine instead.

[Uptorn]

I think you meant to say "unintutitve" but yes, rolling your own apparmor profiles requires some skill and usually deep knowledge about the program you are trying to sandbox. I am sure some turbo nerd out there can do it, ideally I think most apps in the repo would ship with an apparmor profile and perhaps apt would give you info on the profile once installed. Maybe we could have a GUI frontend for managing Apparmor.

Yes, I meant unintuitive. It's really the kind of thing that should be interactive. An ideal interactive GUI would report the things a program is trying to access, which are all blocked by default, and the user selectively allows each permission as needed. The model of having foreknowledge of a program really doesn't scale since it is impossible to write and ship profiles needed for each and every single program a user will potentially run. Better would be to have a global ruleset that restricts all new/unrecognized programs by default.

Instead I think we will end up bowing to our flatpak overlords.

I would just as soon leave Debian for another distro if this ever came to pass.

For the most part though, sandboxing seems to be mainly just a workaround the reality that most proprietary software is poorly written and unsafe.

Even our friendly neighborhood FOSS software can sometimes inadvertently access things we don't want them touching. For example, I want programs to keep their grubby hands off of creating unsolicited directories in my ~/home, or from reaching out over the network to check for updates (this is what apt is for, dammit!).

I gave this example before but I will reiterate... Steam written by Valve supposedly "friends" of Linux tries to write to /boot/efi and their client is crappy chromium anyways. Always hilarious that supposedly "paying customers" who are supposed to be recieving a premium service are mistreated like this.

I can't imagine there being much overlap between the crowd who run Steam and those who care or even know about mandatory access control.

[CwF]

I prefer tear-offs.Take a face of mud, tear off a layer and keep going...

Code: Select all

qemu-img create -f qcow2 -b base.qcow2 layer.qcow2