Have you ever been locked-out of your own account "for your protection"? 🤦
🔗 https://tech.michaelaltfield.net/2026/02/03/single-site-browser-firejail-proxychains/
This guide 👆 shows how to setup a Persistent, Sandboxed, Single-Site-Browser using #firejail and #proxychains to minimize the risk of Evil-Corp effectively issuing a #DOS attack against you (due to false positives)
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
Кто-нибудь знает проект, подобный #firejail, но написанный не шизами для шизов? А то ощущения такие, что целевая аудитория этой поделки — чуваки, которые не использует ПО, а лишь пишут конфиги firejail для ПО, а потом довольные сидят и радуются, как они всё огородили. Я не хочу волшебным образом вычислять и после вручную перечислять ВСЕ директории, используемые программой. Я просто хочу псевдохомяк, просто преобразовывать `~/somefile` в `~/jail/somefile`, а не вот это вот всё.
Hardening with Firejail, Landlock, and bubblewrap
Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.
First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.
What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.
Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.
The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.
Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.
I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.
#security #linux #bwrap #landlock #firejail
Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)
Я запустил террарию, и у меня даже не исчезают сохранения после перезапуска. Я считаю, это победа.
~/.config/firejail/lutris.local:
```
name lutris
ignore noblacklist ${HOME}/Games
noblacklist ${HOME}/.lutris
ignore mkdir ${HOME}/Games
mkdir ${HOME}/.lutris
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/Games
whitelist ${HOME}/.lutris
# terraria
ignore noexec /tmp
noblacklist ${HOME}/.local/share/Terraria
mkdir ${HOME}/.local/share/Terraria
whitelist ${HOME}/.local/share/Terraria
# ???
# https://github.com/netblue30/firejail/issues/6941
whitelist /usr/share/glycin-loaders
noblacklist /usr/bin/bwrap
noblacklist /proc/sys/kernel/overflowuid
noblacklist /proc/sys/kernel/overflowgid
ignore seccomp !chroot
seccomp !chroot,!mount,!pivot_root,!umount2
```
@grafov@fosstodon.org fwiw... atm posting this reply from my "normal" boot, #ArchLinux #KDE, wherein i've run #Firejail since the beginning [& in all distros before Arch]. Later today shall be booting back into my "new" boot, only ~week old & still finessing it; #KDELinux. Tis my first #immutable #atomic i've run on SSD rather than just in VMs. Really enjoying it, but not being able to use FJ anymore is a very unsettling feeling for me. 😳 I reckon FJ is pretty fab.
I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:
https://github.com/grafov/firejail-mode
Because GNU/Emacs should have a mode for any task, you know! #butterfly
Well... bzflag is a trap, in case anyone is tempted by that honey pot. #bzflag
Got hacked and uncertain of the scope, gonna be a week of fixing things.
I really don't have the energy for this, but whatever, here we go... I was just saying how I enjoyed looking into intrusions...
Feel so foolish. Wasn't even running it in #firejail.
Not sure if they gained persistence, but pretty sure they could have. Paranoia makes me assume it was worse than it was.
@rysiek sorry that this isn't an answer to your question but rather another question 😆
What's the use case for Qubes over, for example, #firejail or #apparmor for some specific apps. Or maybe containerisation or virtualization for risk prone or non trustworthy software.
I ask because I understand that qubes has a pretty big performance requirement
@hopland@snabelen.no Thank you. I already use #Distrobox in some of my other immutable distro VMs, & agree that it's a wonderful project.
Tomorrow then i shall see if i can use DB in this #KDELinux VM to install my #VPN app.
Also, in my real host distro, #Arch, for many years i use #Firejail to give me excellent sandboxing control of my internet-facing apps, to stop them accessing my documents & data. Given it seems i cannot use FJ in KDELinux, today i experimented with the App Permissions part of Plasma Settings. For a couple of the browsers i've installed there i set them to have no access to other than my Downloads directory... but it did not work -- they still have unfettered access to anything they like. This appals & frustrates me. It's another dilemma i must solve before this distro could be more than a toy for me.
@hopland@snabelen.no Thanks... but i'm beginning to suspect i'm not good enough to make this [or any other immutable] distro do what i need...
systemd-sysext is meant to allow other vendors to provide their own image"Vendors"? So is this command not intended for mere ordinary users? All i hoped to be able to do is to use this command to be able to install non-Flatpak apps, like my #VPN app, & #Firejail, etc.
Under ARCHLINUX, I can't get apparmor/firejail to work when loading the hardened kernel, but it works fine with the classic kernel.
I don't know which is the best choice or if anyone has a solution.
Why Avoid Binaries in Early-Stage Projects?
Auditability: Source code is readable, understandable, and can be version-controlled. Binaries (especially opaque ones) may include unknown payloads, telemetry, or hardcoded calls. #bubblewrap #firejail
oniux!
http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/introducing-oniux-tor-isolation-using-linux-namespaces/
hexchat and curl work
onionmasq
https://gitlab.torproject.org/tpo/core/onionmasq
Experimentation Tips --->
Unless you’ve already got Debian Trixie set up, provided that #rustlang works best in the latest #environment , I would recommend #Fedora for rustup and cargo. Be sure you run #AndroidStudio on baremetal for kvm #emulation to work properly for device profiles and then you can forget about nested virtualization.
Onionmasq looks like a better option for unblocking access while utilizing tor as much as possible than tor to ovpn (wireguard can’t do that). But the project is still under development. It would be nice to have a - -net=onion0 option work with #firejail but as you will notice with #oniux , there is already a level of sandboxing active and ioctl (also RTNETLINK) is not configured to handle this new organization.
@libreoffice I like LibreOffice because 1) it is intuitive to use, you don't have to read a manual to use basic functions; 2) it is trouble-free to use without Internet in a sandbox (firejail); 3) it can be extended with add-ons; 4) it can read proprietary formats, unfortunately sometimes necessary; 4) its range of functions allows you to have no disadvantages when using free software for word/table/presentation editing.
After taking the nickle tour of #Qubes, my hasty conclusion is that it is anti-#KISS; there are seemingly many moving parts under the surface, and many scripts to grok to comprehend what is going on.
I plan to give it some more time, if only to unwrap how it launches programs in a VM and shares them with dom0's X server and audio and all that; perhaps it's easier than I think.
I also think #Xen is a bit overkill, as the claim is that it has a smaller kernel and therefore smaller attack surface than the seemingly superior alternative, #KVM. Doing some rudimentary searching out of identified / known VM escapes, there seem to be many more that impact Xen than KVM, in the first place.
Sure, the #Linux kernel may be considerably larger than the Xen kernel, but it does not need to be (a lot can be trimmed from the Linux kernel if you want a more secure hypervisor), and the Linux kernel is arguably more heavily audited than the Xen kernel.
My primary concern is compartmentalization of 'the web', which is the single greatest threat to my system's security, and while #firejail is a great soltion, I have run into issues maintaining my qutebrowser.local and firefox.local files tuned to work well, and it's not the simplest of solutions.
Qubes offers great solutions to the compartmentalization of data and so on, and for that, I really like it, but I think it's over-kill, even for people that desire and benefit from its potential security model, given what the threats are against modern workstations, regardless of threat actor -- most people (I HOPE) don't have numerous vulnerable services listening on random ports waiting to be compromised by a remote threat.
So I am working to refine my own security model, with the lessons I'm learning from Qubes.
Up to this point, my way of using a system is a bit different than most. I have 2 non-root users, neither has sudo access, so I do the criminal thing and use root directly in a virtual terminal.
One user is my admin user that has ssh keys to various other systems, and on those systems, that user has sudo access. My normal user has access to some hosts, but not all, and has no elevated privileges at all.
Both users occasionally need to use the web. When I first learned about javascript, years and years ago, it was a very benevolent tool. It could alter the web page a bit, and make popups and other "useful" things.
At some point, #javascript became a beast, a monster, something that was capable of scooping up your password database, your ssh keys, and probe your local networks with port scans.
In the name of convenience.
As a result, we have to take browser security more seriously, if we want to avoid compromise.
The path I'm exploring at the moment is to run a VM or two as a normal user, using KVM, and then using SSH X forwarding to run firefox from the VM which I can more easily firewall, and ensures if someone escapes my browser or abuses JS in a new and unique way, that no credentials are accessible, unless they are also capable of breaking out of the VM.
What else might I want to consider? I 'like' the concept of dom0 having zero network access, but I don't really see the threat actor that is stopping. Sure, if someone breaks from my VM, they can then call out to the internet, get a reverse shell, download some payloads or build tools, etc.
But if someone breaks out of a Qubes VM, they can basically do the same thing, right? Because they theoretically 'own' the hypervisor, and can restore network access to dom0 trivially, or otherwise get data onto it. Or am I mistaken?
Also, what would the #LXC / #LXD approach look like for something like this? What's its security record like, and would it provide an equivalent challenge to someone breaking out of a web browser (or other program I might use but am not thinking of at the moment)?
Just learned about sandboxing software called #firejail Moar security! As I play with things I don't understand do da do da.
