Secureblue - Atomic Fedora Hardening

Lukas · December 1, 2024, 10:47am

It was time when the developer came in and clarified everything in the posts above. There is literally no valid reason to not recommend this. In fact, it makes a lot more sense to recommend this than Kicksecure because secureblue is based on a sane distribution and not Debian.

anon94009837 · December 1, 2024, 5:17pm

I agree, Kicksecure doesn’t do anything special compared to Secureblue and is much worse in many cases. The Kicksecure recommendation should be removed imo. Whonix still has a use case for anonymity with their gateway-workstation VM setup but if a project can do something similar with Secureblue then it would easily obselete Whonix.

fria · December 1, 2024, 6:00pm

Agree but removing kicksecure should be a separate discussion.

anon94009837 · December 1, 2024, 6:06pm

Yeah I was gonna start one once Secureblue is recommended.

asanyan · December 1, 2024, 7:08pm

didn’t run0 rely on pkexec?

RoyalOughtness · December 1, 2024, 8:04pm

No, and we remove pkexec from secureblue too

github.com

secureblue/secureblue/blob/e3e985af67b4142de1f8c3bd57273143de53ef20/files/scripts/removesuid.sh#L67


      
              while IFS= read -r binary; do
                  if ! is_in_whitelist "$binary"; then
                      echo "Removing SGID bit from $binary"
                      chmod g-s "$binary"
                      echo "Removed SGID bit from $binary"
                  fi
              done
          
          
          rm -f /usr/bin/chsh
          rm -f /usr/bin/pkexec
          rm -f /usr/bin/sudo
          rm -f /usr/bin/su
          
          systemctl enable setcapsforunsuidbinaries.service

RoyalOughtness · December 1, 2024, 8:04pm

The remaining suid binary on secureblue’s main/userns systems is polkit-agent-helper-1, which will go away with the merge of this PR:

github.com/polkit-org/polkit

agent helper: support separate socket-activated service to run without SETUID

polkit-org:main ← bluca:remove_setuid_inet

opened 09:52PM - 16 Sep 24 UTC

bluca

+474 -36

SETUID binaries are considered harmful, as te execution context is under the con…trol of unprivileged attackers. Enhance the polkit pam agent helper with a new mode: when running under systemd, add a socket-activated service that the helper will run under, as root. The agent talks to this service via AF_UNIX instead of spawning it, and STDIN/STDOUT are connected as before. The helper can make use of PID FDs and SO_PEERCRED to reliably identify the caller. In order to do this, a third version of the auth D-Bus method is added, that also takes a subject, built using the PID FD. If the AF_UNIX socket is not present, the agent will fork the helper as before, with no changes. Fixes https://github.com/polkit-org/polkit/issues/169

asanyan · December 2, 2024, 2:11pm

Nice. Are these the only binaries where you replaced SUID with capabilities? I’d like to do something similar on my (arch) system.

Also @RoyalOughtness are there plans for shipping bubblejail profiles for programs and enabling them by default?

+1 but there should be a guide first on how to safely install and run software in Secureblue. Flatpak alone isn’t very good depending on the program due to e.g. device permissions not being flexible enough (device=all is bad and some apps won’t run without it), and idk about how distrobox can be secured (I don’t use it).

There also has to be a documented way on how to safely run X11-only programs. Some programs that PG recommends are X11-only e.g. SimpleX or default to X11 and are by default broken if X11 isn’t available (e.g anything electron). Standard Xwayland isn’t safe. I don’t think it’s a problem that Secureblue can fix themselves but it’s still a problem and users should be informed on how to solve it.

Offtopic but Kicksecure is still a very good option as VMs for the truly paranoid, even if Secureblue is better as a host OS.

Astatine · December 2, 2024, 3:17pm

Off-topic

Can’t one use Flatseal to solve that issue?

asanyan · December 2, 2024, 3:52pm

Off-topic

No. Device permissions are limited to dri, input, kvm, shm, all. If you add custom paths to the sandbox, it’s (AFAIK) a regular bwrap --bind or --ro-bind and won’t work for devices

RoyalOughtness · December 2, 2024, 6:58pm

Nice. Are these the only binaries where you replaced SUID with capabilities?

Yes

Also @RoyalOughtness are there plans for shipping bubblejail profiles for programs and enabling them by default?

Not at the moment because the current #1 priority is SELinux confinement for chromium, bwrap, and flatpak.

+1 but there should be a guide first on how to safely install and run software in Secureblue.

You’re looking for ujust audit-secureblue

anything electron

Most electron apps work fine on wayland-only systems. Aside from that, if a program only supports X11, users are encouraged to find an alternative.

asanyan · December 3, 2024, 2:55am

Sorry if I’m missing something but doesn’t this simply check if all the hardening measures were correctly applied… ?

So, is there no interest at all in supporting running X11 apps securely in the future? Could probably launch something like xwayland-satellite inside each sandbox, set $DISPLAY accordingly and it should just work (mostly).

I know, my problem with this is that these apps are broken by default which isn’t good. If functionality that people expect to just work is broken, then the fix should also be documented, even if you think it’s trivial.

RoyalOughtness · December 3, 2024, 3:27am

Sorry if I’m missing something but doesn’t this simply check if all the hardening measures were correctly applied… ?

It also gives suggestions for hardening flatpaks with overly permissive permissions. Eventually we want it to give suggestions for all findings

So, is there no interest at all in supporting running X11 apps securely in the future?

I wouldn’t say there’s no interest, just that it’s not a priority. X11 is going away and Xwayland is already disabled by default in secureblue. Investing time in a technology that’s being phased out when there are bigger fish to fry just doesn’t seem like a great use of time.

these apps are broken by default which isn’t good

I run an X11/Xwayland-less session and have tested numerous electron flatpaks, all have worked ootb with no workarounds. Other secureblue users have reported the same.

It would help immensely if you provided specific examples.

asanyan · December 3, 2024, 4:23am

Ok, my point here is more about running things that aren’t flatpaks and/or wouldn’t work in a default configuration, or would normally require decreasing the security of the OS (e.g. by enabling Xwayland without taking any extra measures to secure it).

I’m not saying that you should make a guide about t his if it’s not in the scope of the project, but before Secureblue is recommended PG should document how the recommended apps can be run in the distribution, in a way that doesn’t break the security model that you are aiming for.

EDIT: also, some flatpaks do need “bad” permissions to work correctly. Bottles for instance breaks if you deny device=all.

Yes, it’s been “going away” for 5 years or so. Right now I don’t think that it’s feasible for most people to not use X11. Definitely not anyone who plays games as the WINE Wayland driver is not mature yet, Steam still relies on X11 etc.
Plus many apps don’t support native wayland yet even though it’s improving.

At the very least, I think that it would be safest to consider unsetting $DISPLAY outside sandboxes even when Xwayland is enabled, so that the user doesn’t accidentally run a X11 app unsandboxed which would lead to a sandbox escape.

Element, Signal and Discord are examples that come to mind. Element works if you use the appropriate flag but Discord doesn’t support Wayland at all. Signal doesn’t work at all I think… I’ve been successful in running Signal under wayland on my system but only the Beta version and that isn’t available as a flatpak.

RoyalOughtness · December 3, 2024, 7:39am

by enabling Xwayland without taking any extra measures to secure it
but before Secureblue is recommended PG should document how the recommended apps can be run in the distribution

If a recommended app requires Xwayland and an alternative is available that doesn’t, then the recommendation should be adjusted. Adding back Xwayland is opening a can of worms. And again, hardening that can of worms, while in scope, is not a priority.

plays games

Gaming and security on desktop linux don’t play nice with each other to begin with. Enabling Xwayland is just one of the many bits of hardening someone might want to undo to improve gaming compatibility or performance (e.g. dehardening our ptrace scope setting, which enables anticheat support). So while gaming on secureblue is very much supported, hardening and gaming are largely opposite goals (even simple stuff like enabling cpu mitigations, init_on_alloc, or nosmt which reduce perf).

Element

You should avoid the element electron client to begin with if you care about security. You’re much better off using the webapp in an up-to-date browser instead of an old, neutered chromium via electron.

Signal

Even moreso, if you care about security you shouldn’t touch the signal electron desktop app in any form (flatpak/deb/etc) with a 10 foot pole.

Discord

The discord webapp works well

asanyan · December 3, 2024, 2:12pm

I’m not sure about battleye but EAC worked well for me with kernel.yama.ptrace_scope=2

Disabling SMT can actually improve performance depending on the game. It’s true that some of the hardening reduces performance but the drops aren’t that big depending on one’s hardware and the game. I think it’s perfectly feasible to game on a hardened system, given that one’s hardware is recent/powerful enough.

I don’t want to derail the thread by discussing “electron good/bad” again but at least it’s worth noting that Element and Signal don’t use EOL versions of Electron like some other apps out there and therefore should have the latest security updates.

Niek-de-Wilde · December 3, 2024, 2:20pm

Just buy an intel cpu without hyperthreading ;p

anon5410820 · December 4, 2024, 3:04am

Signal work-ish under Wayland, you can force it to be Wayland (I use it inside of a distrobox). Signal’s repo still apparently targets Ubuntu 16.04, which makes me question why???

RoyalOughtness · December 4, 2024, 9:05pm

just a side note, most latest gen cpus that have hardware mitigations for spectre, and mitigations=auto,nosmt doesn’t disable hyperthreading for those cpus

We do give users with latest gen hardware the option to force smt off regardless of their hardware mitigations, but by default smt is off for known-affected hardware and left on otherwise.

Niek-de-Wilde · December 4, 2024, 9:26pm

Doesn’t nosmt disable hyperthreading, as smt is the non intel name for the same principle?

Edit, p.s. welcome to the forum btw, good to have you on board

Topic		Replies	Views
Kicksecure vs Secureblue? Questions	10	168	December 28, 2024
How do I download Secureblue? Questions	5	70	March 13, 2024
Hardened-chromium is now Trivalent! General software	14	2567	April 11, 2025
Thoughts on Universal Blue (Bluefin, Bazzite, Aurora) General	22	3974	February 5, 2025
Brave vs Trivalent Security Questions	22	1051	March 27, 2025

Secureblue - Atomic Fedora Hardening

Related topics