Hello,
On MacOS there is a feature that I find cool is that for each application, you can set the privacy settings. For example, this application can’t access files or the camera, or take screenshots or control the keyboard.
I think this is cool because it adds security and privacy.
Unfortunately, this is not the case on Linux. So I’m wondering if there are any linux distributions that add this feature (and why isn’t this the case for all operating systems?)
You can set per app permissions for Flatpak apps.
as the other user mentioned, flatpak apps provide similar controls with flatseal though not all of the ones that macos has (although it has better controls for filesystem sandboxing).
or for a more advanced option, there’s firejail
While Firejail is an option, it is not recommended due to it being an SUID program and significantly increasing your attack surface IIRC
Being a SUID program by itself is not a problem. Flatpak/Bubblewrap also need to be SUID on systems without unprivileged user namespaces. The question is, does it drop privileges reliably and with little attack surface? Bubblewrap does that. Not sure about Firejail .
I said it was SUID AND it significantly expands your attack surface. Bubblewrap is much more limited in scope iirc and has a much smaller overall attack surface.
Also, isn’t it good security practice to reduce the number of SUID programs you use to the bare minimum simply because they have so much access.