Brace toolkit

I just found out about the brace toolkit. Has anyone here tried it? How did it work for you? Should PrivacyGuides mention it in an advanced section like Arkenfox?

Looking at the repo I’m not sure of how the installation process works, if I can skip certain modifications, etc. I’m currently on Fedora 40 and have implemented various security tweaks I’d like to keep for usability, for example. But it looks really interesting, so I wanted to ask the community.

2 Likes

Does it use hardened_malloc?

I’m not sure, but I know divested packages hardened_malloc for Linux: divested/rpm-hardened_malloc: Unofficial micro-architecture optimized hardened_malloc package || https://github.com/GrapheneOS/hardened_malloc - Codeberg.org

1 Like

One of our fellow forum members @SkewedZeppelin maintains Brace. I haven’t personally used it, but it looks interesting, and I’ve been meaning to at least try it out in a VM.

1 Like

no, brace is purely configurations, but I offer an unofficial optimized hardened_malloc package too, linked above
both it and my packaged firejail include workarounds to make it easy to use systemwide.

2 Likes

So are users able to install specific configuration scripts from the contents section of the readme? Sorry for the basic questions, but I couldn’t find a wiki or installation process anywhere

@simony
no, only the whole thing like:

sudo dnf install https://divested.dev/rpm/fedora/divested-release-20240607-1.noarch.rpm
sudo dnf install brace
#the next steps are optional but recommended
sudo brace-enable-rpmfusion #if you want foss but patent encumbered codecs
sudo dnf swap mesa-va-drivers mesa-va-drivers-freeworld --allowerasing #to fix hardware video acceleration
sudo brace-installer #to install recommended programs
sudo brace-supplemental-changes #for additional global changes
brace-supplemental-changes #for additional user changes
sudo dnf install firejail hardened_malloc && sudo firecfg #for extra security
sudo brace-enable-fapolicyd #to enable application allowlisting and binary verification

note adding the repo automatically pulls in real-ucode
the list of packages divested-release can provide is also hardcoded to prevent any other replacements

you can then run brace-audit to verify it is running

5 Likes