Over the last few months I’ve been trying to improve my security setup so I thought I’d share the measures I’m currently taking and ask for feedback. Please tell me if I’m doing something stupid or missing something. (Warning: wall of text)
Security measures:
Compile the kernel, with CFI, full LTO, hardened patches (when up to date), and only the required modules (~250).
Hardened boot parameters, sysctls, (mostly) in accordance to madaidan and privsec’s guides. Misc hardening like enabling NTS, hardened mountpoints, hidepid, disabling coredumps etc. also done. Read permissions to non-root users in some top-level directories like /usr/src and /usr/lib/modules are removed.
Hardened malloc (light) is preloaded for system apps, and disabled with bwrap in firefox and gaming sandboxes for increased performance.
I use roddhjav’s apparmor profiles for securing most things on the system. As of the time of writing, I only have 17 binaries running unconfined, and these are things like the shell, the terminal emulator, systemd, crond, and other programs used for administration purposes and that need near full rights to the system.
I use bubblejail for sandboxing apps. Most apps play well in a sandbox and work flawlessly; an exception is the web browser that I use for video calls, because my webcam sucks and if it disconnects, due to how bwrap works I need to restart the sandbox to fix it. For these cases, I rely on apparmor and intgr’s ego for user separation. Apparmor still works with bubblejail too, restricting some read access to top-level directories (bubblejail allows full read access to things like /usr and /opt). I take care to allow userns for web browsers, other programs have this functionality restricted.
I have firejail installed as it restricts some simple programs that I wouldn’t bother setting up a sandbox for normally, e.g. ping, man, lynx.
As WINE still requires X to run most games in a performant way, I take care as to never run any X11 app unsandboxed, as that would allow for a sandbox escape. My terminal emulator of choice (foot) is wayland-only.
I use Hyprland as the wayland compositor. It may not be the objectively best choice, however it does implement the security context wayland protocol now.
Mullvad is my VPN provider of choice. I take care to run browser sandboxes that need to know my identity with mullvad-exclude.
As a password manager, I use pass with wtype for auto-typing functionality rather than copy and paste.
Root partition is encrypted with LUKS.
TCB and security flaws with the setup:
Everything that runs as my user (wheel) without sandboxing or a restrictive MAC policy is trusted. To avoid hassle, I also have polkit rule to always return yes to wheel users, and sudo is passwordless, so wheel == root pretty much. I don’t think it’s an issue unless I allow my sandboxes to communicate with the polkit dbus (which I don’t).
Most programs still use pulseaudio which is bad, though I prefer passing pipewire or alsa (via pw-alsa) to sandboxes when possible. I unplug the microphone when not in use. X11 is also a problem but hopefully not that big of a deal as I don’t ever run X apps unsandboxed. I’d prefer having a separate X server per-app but it seems hard.
Hardware is trusted, and since I drive old hardware, I don’t bother with things like secure boot. I enable iommu but it’s kinda moot as I hardly ever unplug my USB devices.
I’m yet to setup a firewall and network isolation for sandboxes (I tried before but it breaks stuff).
I’m yet to remove SUID from binaries that don’t require it.
I sometimes compile programs from the AUR, which could compromise my system if the app is malicious. I usually prefer binary releases to avoid this problem though.
Sometimes I boot with kernel mitigations disabled to play games (very old cpu, 30% performance hit), but I take care to not open any sensitive files or apps, and reboot before engaging in normal desktop use.
Rather comical putting in so much effort to secure your kernel, only to skip Secure Boot, enabling the potential for bootkits. Secure Boot is not just for protecting against Evil Maid Attacks. It’s used to ensure your kernel hasn’t been tampered (via kernel module signing and kernel image signing) along with asserting your boot procedure hasn’t been tampered with.
Given the level of customization you have opted for, I’m genuinely surprised you chose Arch over Gentoo.
Be careful, what you don’t know, could bite you. I’m not going to bother rating your “secure operating system”. I will only exercise caution to everyone that sometimes (actually, a lot of the time), it’s just better to choose an operating system with sane defaults that will be good enough for most people, such as Fedora Workstation.
AFAIK there’s no way for me to fully protect against those either way beecause I’m running hardware that is 8~10 years old. Secure boot would patch some of the holes but not all of them.
Just wanted to pop in and say I always super appreciate links to resources and definitions in a post. Let’s anyone deep dive in the topic without too much derailment.
Hey, nice build, did you only noticed issues in video calls with the webcam using web browsers with bubblejail? I wonder if I should or not adopt bubblejail for web browser distro maintained installation.
Grade was based on kernel hardening, sandboxing effectiveness, user permissions, network isolation, and overall system configuration security. Based on the info provided.
No firewall. You need a whitelist firewall - control what is allowed to go out and what is allowed to go in.
No Secure Boot. SB is a security protocol and protects your firmwares and OS and many other things. On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system boots in EFI Secure Boot mode.
the second VM doesn’t actually run inside of the first VM
instead the host OS and both VMs each run in a different context of the CPU
additionally issues like Spectre make it possible to leak across this boundary
there could be some benefits of nested virtualization, BUT there is a big caveat here.
basically if the paravirt drivers were exploited to escape the second VM, the first VM would be compromised, but if you’re likely running the same hypvervisor for both, it could just repeat such attack and gain host access.
In general all of these features are included if using “Host Passthrough” or “Host Model”.
pcid, spec-ctrl, stibp, ssbd, pdpe1gb, md-clear, mds-no, taa-no, tsx-ctrl, bhi-no, gds-no, rfds-no.
Not all CPU vulnerabilities are addressed, but many.