Basically

  • Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though
  • The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)
  • the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!
  • X11 is insecure, okay we know that
  • the kernel is very bloated and everything in there has all the permissions, which is not needed
  • Kernel bugs are often not fixed quickly or at all
  • Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE

I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.

On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.

This would mean user namespaces need to be enabled again, which I can’t seem to make work with

sudo sysctl -w kernel.unprivileged_users_clone=1

But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?

I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):

https://github.com/qoijjj/hardened-images

The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.

Maybe nix is a solution? Would this be a good idea?

Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. Here is a spec file from rusty-snake.

What do you know about this?