Hi pals,
I have been using firejail globally on my desktop. It was interesting to see firefox was only restricted to only ~/Downloads, and akregator crashed had to do some whitelisting to make it work.
Are you using firejail?
What are your experiences?
I want everybody to use firejail, should we make it mandatory on PG?
1 Like
Firejail does have some drawbacks, Sandboxing Applications on Desktop Linux - Privacy Guides.
2 Likes
Yeah setuid bit is the main problem here by design. Hopefully bubblewrap will take over Desktop Linux soon.
bwrap and firejail are not the same. the primary benefit of firejail is that it has hundreds of premade profiles for programs, no other similar program has that.
even flatpak+flatseal is often more permissive than you can make a firejail profile.
If you need an introduction, I strongly recommend watching my video on it.
There are also lightly hardened builds in my rpm repo.
(disclaimer: am/was firejail maintainer)
4 Likes
Can you include a link to the video you mentioned @SkewedZeppelin?
Portals are being made for that IIRC. Yes that’s true flatpak made today claim to be “sandboxed”.
Is apparmor with firejail good?
Your thoughts on SELinux? I want to learn it, but it needs to be simple.
Can you give your thoughts on SELinux vs apparmor, just one word no bashing, what will you pick?
This is a great tutorial. Thanks for putting it together.
Wow, nice job!
Could you do a tutorial for us users on Windows 10/11? That would be amazing!
Firejail is only for linux
Apparmor is less flexible as it doesn’t support MCS, probably why it’s becoming more common due to container workloads https://www.redhat.com/sysadmin/apparmor-selinux-isolation Worth noting also that, MicroOS and Tumbleweed both use it, which in the past Suse was AppArmor by default.