Rate my desktop linux security setup

Over the last few months I’ve been trying to improve my security setup so I thought I’d share the measures I’m currently taking and ask for feedback. Please tell me if I’m doing something stupid or missing something. (Warning: wall of text)

Security measures:

  • Compile the kernel, with CFI, full LTO, hardened patches (when up to date), and only the required modules (~250).

  • Hardened boot parameters, sysctls, (mostly) in accordance to madaidan and privsec’s guides. Misc hardening like enabling NTS, hardened mountpoints, hidepid, disabling coredumps etc. also done. Read permissions to non-root users in some top-level directories like /usr/src and /usr/lib/modules are removed.

  • Hardened malloc (light) is preloaded for system apps, and disabled with bwrap in firefox and gaming sandboxes for increased performance.

  • I use roddhjav’s apparmor profiles for securing most things on the system. As of the time of writing, I only have 17 binaries running unconfined, and these are things like the shell, the terminal emulator, systemd, crond, and other programs used for administration purposes and that need near full rights to the system.

  • I use bubblejail for sandboxing apps. Most apps play well in a sandbox and work flawlessly; an exception is the web browser that I use for video calls, because my webcam sucks and if it disconnects, due to how bwrap works I need to restart the sandbox to fix it. For these cases, I rely on apparmor and intgr’s ego for user separation. Apparmor still works with bubblejail too, restricting some read access to top-level directories (bubblejail allows full read access to things like /usr and /opt). I take care to allow userns for web browsers, other programs have this functionality restricted.

  • I have firejail installed as it restricts some simple programs that I wouldn’t bother setting up a sandbox for normally, e.g. ping, man, lynx.

  • As WINE still requires X to run most games in a performant way, I take care as to never run any X11 app unsandboxed, as that would allow for a sandbox escape. My terminal emulator of choice (foot) is wayland-only.

  • I use Hyprland as the wayland compositor. It may not be the objectively best choice, however it does implement the security context wayland protocol now.

  • Mullvad is my VPN provider of choice. I take care to run browser sandboxes that need to know my identity with mullvad-exclude.

  • As a password manager, I use pass with wtype for auto-typing functionality rather than copy and paste.

  • Root partition is encrypted with LUKS.

TCB and security flaws with the setup:

  • Everything that runs as my user (wheel) without sandboxing or a restrictive MAC policy is trusted. To avoid hassle, I also have polkit rule to always return yes to wheel users, and sudo is passwordless, so wheel == root pretty much. I don’t think it’s an issue unless I allow my sandboxes to communicate with the polkit dbus (which I don’t).

  • Most programs still use pulseaudio which is bad, though I prefer passing pipewire or alsa (via pw-alsa) to sandboxes when possible. I unplug the microphone when not in use. X11 is also a problem but hopefully not that big of a deal as I don’t ever run X apps unsandboxed. I’d prefer having a separate X server per-app but it seems hard.

  • Hardware is trusted, and since I drive old hardware, I don’t bother with things like secure boot. I enable iommu but it’s kinda moot as I hardly ever unplug my USB devices.

  • I’m yet to setup a firewall and network isolation for sandboxes (I tried before but it breaks stuff).

  • I’m yet to remove SUID from binaries that don’t require it.

  • I sometimes compile programs from the AUR, which could compromise my system if the app is malicious. I usually prefer binary releases to avoid this problem though.

  • Sometimes I boot with kernel mitigations disabled to play games (very old cpu, 30% performance hit), but I take care to not open any sensitive files or apps, and reboot before engaging in normal desktop use.

Rather comical putting in so much effort to secure your kernel, only to skip Secure Boot, enabling the potential for bootkits. Secure Boot is not just for protecting against Evil Maid Attacks. It’s used to ensure your kernel hasn’t been tampered (via kernel module signing and kernel image signing) along with asserting your boot procedure hasn’t been tampered with.

Given the level of customization you have opted for, I’m genuinely surprised you chose Arch over Gentoo.

Be careful, what you don’t know, could bite you. I’m not going to bother rating your “secure operating system”. I will only exercise caution to everyone that sometimes (actually, a lot of the time), it’s just better to choose an operating system with sane defaults that will be good enough for most people, such as Fedora Workstation.

1 Like

AFAIK there’s no way for me to fully protect against those either way beecause I’m running hardware that is 8~10 years old. Secure boot would patch some of the holes but not all of them.

Certainly. Hence the thread.

Just wanted to pop in and say I always super appreciate links to resources and definitions in a post. Let’s anyone deep dive in the topic without too much derailment.

3 Likes