Let’s take Signal, for example. There is no official Signal flatpak, unofficial apps can’t be fully trusted (yes, it’s opensource, no, I can’t review source code of every app I use). Beside this, there are a lot of apps that doesn’t have any flatpak version at all.
So to use official Signal Desktop for Linux, I have to add Signal’s repo to my system, which, to my knowledge, is a very insecure thing to do. And I will still need to find a way to isolate and control it’s permissions.
I’m fine with Flatpak’s not so perfect sandboxing, since it gives me ability to take away many permissions I don’t use, with Flatseal it’s almost as easy as with Android.
Given that I don’t use QubesOS, and it is very resource demanding and cumbersome to run a new virtual machine for every app I need to use on a daily basis, what alternatives exist?
I’ve read about existing sandboxing solutions, it seems that they are all not so secure or very hard to implement, often both.
Currently I’m thinking about using containers. Is it a viable option to run apps like Signal in different containers or am I misunderstanding something?
Thank you, but for me it falls under the category of imperfect solutions, which are quite hard to use. And I don’t use Arch btw.
Because I don’t want to fully trust 3rd party repositories, which, if I understand correctly, theoretically have the ability to replace all software in my system with it’s own modified versions, when I do update.
You don’t need half of what is in the guide, you can configure with the GUI and it will (probably) be fine for the most part, f you’re using GNOME. Just check it if something doesn’t work, as it may.
The only reason the guide is specifically “for arch distros” is because some of the packages I mention are in the AUR which makes things easier. Firejail is also like 2 commands to set up and use, and it’s also fine.
OK, I didn’t read thorough enough about firejail, because from the start I found negative reviews about its security model, but now I see that this is imperfect solution, which is, at least, not so hard to use.
Anyway, I still have to deal with 3rd party repositories, and if I can trust that Signal developers probably wouldn’t try to compromise my system that way, it may not be the case with other developers and their repos.
So there is no other solutions? How about podman or something similar?
Firejail is fine. It may not be as good as some of the alternatives in some regards but if you can’t be bothered to learn these tools it’s much better than doing nothing. The perfect is the enemy of the good.
That’s the problem of not using Arch. You could probably use distrobox, but idk if you can use bubblejail inside it. It would also add more complexity to your setup, which isn’t good if you can help it
Sure, but in what world would that be easier than setting up bubblejail?
Appreciate the bubblejail suggestion and tutorial @asanyan, it looks promising but the GitHub shows there are already quirks for non-AUR installs that have instructions, so I’m guessing I’d be upstream w/o a paddle if my distro isn’t listed.
@n_n I tried Firejail myself and struggled before giving up. The documentation is almost exclusively on the creator’s website (online tutorials just rehash the basics). They do have a semi-recent video on odyssey that helped w/ the setup IIRC but otherwise, the documentation is pretty mundane. More importantly, in my experience, the documentation only provides guidance for basic setup, but troubleshooting/customization isn’t covered in-depth even tho that is a necessary ability to use the tool.
The modern solution at the moment appears to be systemd-nspawn which is summarized as “a lighter-weight alternative to Docker that’s built into systemd. It’s often described as ‘chroot on steroids’ because it provides container-like isolation without the additional complexity of Docker’s ecosystem.”
I’ve been dragging my feet on learning it, but stumbled across the arch-wiki breakdown just now which looks promising. The tool should be compatible across all of the well-known Linux distros as long as you aren’t an anti-systemd stalwart