I was doing a bit of reading on Firejail. Not currently running it. It looks very configurable, but the default is to give it access to ~/home and internet access. Not sure why my web browser needs to see all my files, nor why my photo editor needs internet access.
I'm guessing that if you try to Firejail everything, nothing is going to work, and you won't be able to exchange files between apps if you create fake filesystems for them to exist in. I'm also guessing that it would be a lot of work to give every program just the permissions it needs. So, I'm curious if anyone is giving serious thought to sandboxing most of the major programs by default. Is there some reason this isn't the way people are going?
Is there a reason we don't Firejail everything?
Re: Is there a reason we don't Firejail everything?
Kind of like asking why don't we prevent crime by putting everyone in prison at birth, IMO.
Re: Is there a reason we don't Firejail everything?
Not absolutely everything. How many OSS programs phone home? I keep finding OSS apps that do stupid things with networking. Just found an open source game that ships configured for network play. You can disable it, but that's not the point. All the music playing software does gratuitous lookups of album art of everything you own or play unless you specially opt out. ANd then there's Firefox.
I'm not looking to jail Thunar, I'm thinking of jailing pretty much anything that isn't a trusted utility. I can't be the first to ask why not.
I'm not looking to jail Thunar, I'm thinking of jailing pretty much anything that isn't a trusted utility. I can't be the first to ask why not.
Re: Is there a reason we don't Firejail everything?
My take do not lock me down. Let me decide.
Forum Rules
Guide - How to Ask for Help
richb Administrator
System: MX 23 KDE
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB
Guide - How to Ask for Help
richb Administrator
System: MX 23 KDE
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB
Re: Is there a reason we don't Firejail everything?
haha, I think that's what they are trying to do with Flatpaks, Snaps and Wayland. They just forgot to tell us. The prison will be similar to Android so maybe they think no one will notice.
Maybe because the Android experience is very limited? If you are creating a platform for mainstream, maybe sandboxing is a necessary evil. But if you mainly use open source and download/install from trusted locations, sandboxing is not worth it IMO.
Re: Is there a reason we don't Firejail everything?
Aside from the answers above... try running firejail for a while on a lot of programs. I suspect you'll see why.
Updates/ upgrades are funky; resources get tangled; symbolic links and DE functions breakdown (like html links); GUIs (themes, icons, etc)are even less standard than normal.
I found it to be practically like paradise... a never ending set of chores, for a marginal amount of 'supposed' security. Go right ahead an do it, just not for me.
Updates/ upgrades are funky; resources get tangled; symbolic links and DE functions breakdown (like html links); GUIs (themes, icons, etc)are even less standard than normal.
I found it to be practically like paradise... a never ending set of chores, for a marginal amount of 'supposed' security. Go right ahead an do it, just not for me.
Pax vobiscum,
Mark Rabideau - ManyRoads Genealogy -or- eirenicon llc. (geeky stuff)
i3wm, bspwm, hlwm, dwm, spectrwm ~ Linux #449130
"For every complex problem there is an answer that is clear, simple, and wrong." -- H. L. Mencken
Mark Rabideau - ManyRoads Genealogy -or- eirenicon llc. (geeky stuff)
i3wm, bspwm, hlwm, dwm, spectrwm ~ Linux #449130
"For every complex problem there is an answer that is clear, simple, and wrong." -- H. L. Mencken
Re: Is there a reason we don't Firejail everything?
I by no means thumb my nose at security and privacy concerns.
Long ago when on windows, I was a member of a large security forum, and enjoyed reading, posting, and using tons of anti-malware software.
But I'm fed up with being in a jail of my own making.
With about:config tweaks, several add ons, etc, I believe I'm as safe as I need to be on Linux.
Manyroads has it right:
Long ago when on windows, I was a member of a large security forum, and enjoyed reading, posting, and using tons of anti-malware software.
But I'm fed up with being in a jail of my own making.
With about:config tweaks, several add ons, etc, I believe I'm as safe as I need to be on Linux.
Manyroads has it right:
Of course, different people like different things. And that's cool.a never ending set of chores, for a marginal amount of 'supposed' security.
-
- Posts: 136
- Joined: Sat May 02, 2015 4:35 pm
Re: Is there a reason we don't Firejail everything?
I've always been fascinated by Qubes OS ever since I saw it at a security conference. You compartmentalize your machine into VMs like "banking", "office", "social", et.al. which contain related programs, data, networking and other resources.
Never installed it, tho. It's highly experimental, and it looks complicated.
https://www.qubes-os.org/
Never installed it, tho. It's highly experimental, and it looks complicated.
https://www.qubes-os.org/
Son, someday all this will belong to your ex wife.
-
- Posts: 254
- Joined: Sat Apr 14, 2018 2:40 pm