Is there a reason we don't Firejail everything?

Post Reply
Message
Author
Guido
Posts: 28
Joined: Sat Nov 10, 2018 4:21 pm

Is there a reason we don't Firejail everything?

#1 Post by Guido »

I was doing a bit of reading on Firejail. Not currently running it. It looks very configurable, but the default is to give it access to ~/home and internet access. Not sure why my web browser needs to see all my files, nor why my photo editor needs internet access.

I'm guessing that if you try to Firejail everything, nothing is going to work, and you won't be able to exchange files between apps if you create fake filesystems for them to exist in. I'm also guessing that it would be a lot of work to give every program just the permissions it needs. So, I'm curious if anyone is giving serious thought to sandboxing most of the major programs by default. Is there some reason this isn't the way people are going?

User avatar
Stevo
Developer
Posts: 12774
Joined: Fri Dec 15, 2006 8:07 pm

Re: Is there a reason we don't Firejail everything?

#2 Post by Stevo »

Kind of like asking why don't we prevent crime by putting everyone in prison at birth, IMO. :p

Guido
Posts: 28
Joined: Sat Nov 10, 2018 4:21 pm

Re: Is there a reason we don't Firejail everything?

#3 Post by Guido »

Not absolutely everything. How many OSS programs phone home? I keep finding OSS apps that do stupid things with networking. Just found an open source game that ships configured for network play. You can disable it, but that's not the point. All the music playing software does gratuitous lookups of album art of everything you own or play unless you specially opt out. ANd then there's Firefox.
I'm not looking to jail Thunar, I'm thinking of jailing pretty much anything that isn't a trusted utility. I can't be the first to ask why not.

User avatar
richb
Administrator
Posts: 10323
Joined: Wed Jul 12, 2006 2:17 pm

Re: Is there a reason we don't Firejail everything?

#4 Post by richb »

My take do not lock me down. Let me decide.
Forum Rules
Guide - How to Ask for Help

richb Administrator
System: MX 23 KDE
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB

User avatar
dreamer
Posts: 738
Joined: Sun Oct 15, 2017 11:34 am

Re: Is there a reason we don't Firejail everything?

#5 Post by dreamer »

Stevo wrote: Sun Nov 25, 2018 8:53 pm Kind of like asking why don't we prevent crime by putting everyone in prison at birth, IMO. :p
haha, I think that's what they are trying to do with Flatpaks, Snaps and Wayland. They just forgot to tell us. The prison will be similar to Android so maybe they think no one will notice.
Guido wrote: Sun Nov 25, 2018 8:50 pm Is there some reason this isn't the way people are going?
Maybe because the Android experience is very limited? If you are creating a platform for mainstream, maybe sandboxing is a necessary evil. But if you mainly use open source and download/install from trusted locations, sandboxing is not worth it IMO.

User avatar
manyroads
Posts: 2603
Joined: Sat Jun 30, 2018 6:33 pm

Re: Is there a reason we don't Firejail everything?

#6 Post by manyroads »

Aside from the answers above... try running firejail for a while on a lot of programs. I suspect you'll see why.

Updates/ upgrades are funky; resources get tangled; symbolic links and DE functions breakdown (like html links); GUIs (themes, icons, etc)are even less standard than normal.

I found it to be practically like paradise... a never ending set of chores, for a marginal amount of 'supposed' security. :bagoverhead: Go right ahead an do it, just not for me. :rolleyes:
Pax vobiscum,
Mark Rabideau - ManyRoads Genealogy -or- eirenicon llc. (geeky stuff)
i3wm, bspwm, hlwm, dwm, spectrwm ~ Linux #449130
"For every complex problem there is an answer that is clear, simple, and wrong." -- H. L. Mencken

User avatar
Redacted
Posts: 294
Joined: Sat Apr 29, 2017 6:53 am

Re: Is there a reason we don't Firejail everything?

#7 Post by Redacted »

I by no means thumb my nose at security and privacy concerns.
Long ago when on windows, I was a member of a large security forum, and enjoyed reading, posting, and using tons of anti-malware software.
But I'm fed up with being in a jail of my own making.
With about:config tweaks, several add ons, etc, I believe I'm as safe as I need to be on Linux.
Manyroads has it right:
a never ending set of chores, for a marginal amount of 'supposed' security.
Of course, different people like different things. And that's cool.

clicktician
Posts: 136
Joined: Sat May 02, 2015 4:35 pm

Re: Is there a reason we don't Firejail everything?

#8 Post by clicktician »

I've always been fascinated by Qubes OS ever since I saw it at a security conference. You compartmentalize your machine into VMs like "banking", "office", "social", et.al. which contain related programs, data, networking and other resources.

Never installed it, tho. It's highly experimental, and it looks complicated.

https://www.qubes-os.org/
Son, someday all this will belong to your ex wife.

turtlebay777
Posts: 254
Joined: Sat Apr 14, 2018 2:40 pm

Re: Is there a reason we don't Firejail everything?

#9 Post by turtlebay777 »

manyroads wrote: Mon Nov 26, 2018 10:04 am
I found it to be practically like paradise... a never ending set of chores, for a marginal amount of 'supposed' security. :bagoverhead: Go right ahead an do it, just not for me. :rolleyes:

Precisely why I moved to Linux and stopped using Windoze!

Post Reply

Return to “General”