Hardened Fedora Atomic, Brainstorming

This is a cool project, based on Ublue’s awesome work at making the creation of new images easy. It is a bit opinionated with removing Flatpaks (making the distro pretty useless) but that only follows the user namespace restrictions.

What would your ideas of a hardened distro be? Could Nix be integrated in the image creation process, as it can’t be layered it seems. I heard some people mentioning that it could sit in /var/nix and be symlinked on every boot to /nix to work

Or simply a way to remove the namespace restriction, I guess via a kernel parameter, would be nice.

The browser choice is for pure security, as especially Chromium RPM has way better Sandboxing that Firefox. I personally find Chrome/ium hardly usable for some reason, the interface is horrible and I would miss many extensions. Also the Plasma integration would lack.

I think a security spin of ublue is really important, and possibly a playground for things like SELinux confined users (currently just breaking plasma?), bubblejail integration and more.

I started a Fedora COPR including bubblejail but for some reason only the OpensuseTumbleweed one builds, lets see about that.

Apart from the namespace restriction, the hardened kernel and malloc should be perfectly usable, simply with wayy less attack surface. I think this fits perfectly into Fedora Atomic, and this project should be embraced more.

1 Like