Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Is there a reason we don't Firejail everything?

Post Reply
Message
Author
User avatar
Guido
Forum Novice
Forum  Novice
Posts: 27
Joined: Sat Nov 10, 2018 4:21 pm

Is there a reason we don't Firejail everything?

#1 Post by Guido » Sun Nov 25, 2018 8:50 pm

I was doing a bit of reading on Firejail. Not currently running it. It looks very configurable, but the default is to give it access to ~/home and internet access. Not sure why my web browser needs to see all my files, nor why my photo editor needs internet access.

I'm guessing that if you try to Firejail everything, nothing is going to work, and you won't be able to exchange files between apps if you create fake filesystems for them to exist in. I'm also guessing that it would be a lot of work to give every program just the permissions it needs. So, I'm curious if anyone is giving serious thought to sandboxing most of the major programs by default. Is there some reason this isn't the way people are going?

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 17029
Joined: Fri Dec 15, 2006 8:07 pm

Re: Is there a reason we don't Firejail everything?

#2 Post by Stevo » Sun Nov 25, 2018 8:53 pm

Kind of like asking why don't we prevent crime by putting everyone in prison at birth, IMO. :p

User avatar
Guido
Forum Novice
Forum  Novice
Posts: 27
Joined: Sat Nov 10, 2018 4:21 pm

Re: Is there a reason we don't Firejail everything?

#3 Post by Guido » Sun Nov 25, 2018 9:53 pm

Not absolutely everything. How many OSS programs phone home? I keep finding OSS apps that do stupid things with networking. Just found an open source game that ships configured for network play. You can disable it, but that's not the point. All the music playing software does gratuitous lookups of album art of everything you own or play unless you specially opt out. ANd then there's Firefox.
I'm not looking to jail Thunar, I'm thinking of jailing pretty much anything that isn't a trusted utility. I can't be the first to ask why not.

User avatar
richb
Administrator
Posts: 17503
Joined: Wed Jul 12, 2006 2:17 pm

Re: Is there a reason we don't Firejail everything?

#4 Post by richb » Sun Nov 25, 2018 10:11 pm

My take do not lock me down. Let me decide.
Forum Rules
Guide - How to Ask for Help

Rich
SSD Production: MX 17.1
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB, 350 GB HD

User avatar
dreamer
Forum Regular
Forum Regular
Posts: 254
Joined: Sun Oct 15, 2017 11:34 am

Re: Is there a reason we don't Firejail everything?

#5 Post by dreamer » Sun Nov 25, 2018 10:34 pm

Stevo wrote:
Sun Nov 25, 2018 8:53 pm
Kind of like asking why don't we prevent crime by putting everyone in prison at birth, IMO. :p
haha, I think that's what they are trying to do with Flatpaks, Snaps and Wayland. They just forgot to tell us. The prison will be similar to Android so maybe they think no one will notice.
Guido wrote:
Sun Nov 25, 2018 8:50 pm
Is there some reason this isn't the way people are going?
Maybe because the Android experience is very limited? If you are creating a platform for mainstream, maybe sandboxing is a necessary evil. But if you mainly use open source and download/install from trusted locations, sandboxing is not worth it IMO.

User avatar
manyroads
Forum Regular
Forum Regular
Posts: 214
Joined: Sat Jun 30, 2018 6:33 pm

Re: Is there a reason we don't Firejail everything?

#6 Post by manyroads » Mon Nov 26, 2018 10:04 am

Aside from the answers above... try running firejail for a while on a lot of programs. I suspect you'll see why.

Updates/ upgrades are funky; resources get tangled; symbolic links and DE functions breakdown (like html links); GUIs (themes, icons, etc)are even less standard than normal.

I found it to be practically like paradise... a never ending set of chores, for a marginal amount of 'supposed' security. :bagoverhead: Go right ahead an do it, just not for me. :rolleyes:
Pax vobiscum,
ManyRoads (Mark Rabideau)
http://many-roads.com
MX-18b1_x64 Continuum
Platform: Dell Latitude E5470
CPU: Dual Core Intel i5-6300U (-MT MCP-)
Mem: 8GB SSD: 978.09 GiB
Reg. Linux User #449130
:bagoverhead:

Redacted
Forum Regular
Forum Regular
Posts: 156
Joined: Sat Apr 29, 2017 6:53 am

Re: Is there a reason we don't Firejail everything?

#7 Post by Redacted » Mon Nov 26, 2018 2:45 pm

I by no means thumb my nose at security and privacy concerns.
Long ago when on windows, I was a member of a large security forum, and enjoyed reading, posting, and using tons of anti-malware software.
But I'm fed up with being in a jail of my own making.
With about:config tweaks, several add ons, etc, I believe I'm as safe as I need to be on Linux.
Manyroads has it right:
a never ending set of chores, for a marginal amount of 'supposed' security.
Of course, different people like different things. And that's cool.
MX 17.1

clicktician
Forum Regular
Forum Regular
Posts: 213
Joined: Sat May 02, 2015 4:35 pm

Re: Is there a reason we don't Firejail everything?

#8 Post by clicktician » Mon Nov 26, 2018 5:26 pm

I've always been fascinated by Qubes OS ever since I saw it at a security conference. You compartmentalize your machine into VMs like "banking", "office", "social", et.al. which contain related programs, data, networking and other resources.

Never installed it, tho. It's highly experimental, and it looks complicated.

https://www.qubes-os.org/
Son, someday all this will belong to your ex wife.

turtlebay777
Forum Regular
Forum Regular
Posts: 247
Joined: Sat Apr 14, 2018 2:40 pm

Re: Is there a reason we don't Firejail everything?

#9 Post by turtlebay777 » Mon Nov 26, 2018 6:46 pm

manyroads wrote:
Mon Nov 26, 2018 10:04 am

I found it to be practically like paradise... a never ending set of chores, for a marginal amount of 'supposed' security. :bagoverhead: Go right ahead an do it, just not for me. :rolleyes:

Precisely why I moved to Linux and stopped using Windoze!

Post Reply

Return to “General”