Hi pals,
I have been using firejail globally on my desktop. It was interesting to see firefox was only restricted to only ~/Downloads, and akregator crashed had to do some whitelisting to make it work.
Are you using firejail?
What are your experiences?
I want everybody to use firejail, should we make it mandatory on PG?
Firejail does have some drawbacks, Sandboxing Applications on Desktop Linux - Privacy Guides.
1 Like
Yeah setuid bit is the main problem here by design. Hopefully bubblewrap will take over Desktop Linux soon.
bwrap and firejail are not the same. the primary benefit of firejail is that it has hundreds of premade profiles for programs, no other similar program has that.
even flatpak+flatseal is often more permissive than you can make a firejail profile.
If you need an introduction, I strongly recommend watching my video on it.
There are also lightly hardened builds in my rpm repo.
(disclaimer: am/was firejail maintainer)
3 Likes
Portals are being made for that IIRC. Yes that’s true flatpak made today claim to be “sandboxed”.
Is apparmor with firejail good?
Your thoughts on SELinux? I want to learn it, but it needs to be simple.
Can you give your thoughts on SELinux vs apparmor, just one word no bashing, what will you pick?