“The year of the Linux desktop” should come every day, but we are not really prepared.
SELinux confined users are still not really usable to my knowledge.
My question is: can we add small opt-in hardening using this technology?
Idea: nonexecutable home?
I would like to protect my system from malware, which means: you need privileges to install software.
At first glance this sounds like that: lock down /home
with noexec
, all software needs to be in the system, installed with root permissions.
Impacts
But this is problematic. We don’t want to increase the need to use root, do we?
On an atomic desktop this would mean
Works
- RPMs
- systemwide flatpaks
- binaries, scripts in
/usr/local/bin
aka./var/usrlocal/bin
- QEMU system session VMs
- rootful podman containers
Does not work
- per user flatpaks
- Appimages used with random updaters placing them in
~/Apps
or so - local scripts in
~/.local/bin
- cargo, pip, pipx, npm, go,… local development or installed binaries
- QEMU user session VMs that don’t need root (also in virt-manager Flatpak and GNOME Boxes?)
- podman containers, toolbx, distrobox
This seems bad…
Alternatives: very different
I would like to throw this in
https://wiki.gentoo.org/wiki/Simple_sandbox
It uses core Linux user process isolation, like Android, by isolating every process in it’s own UUID. There is no need for user namespaces, flatpaks etc. and apps are isolated using standardized and very basic methods, way more secure than Flatpak.
Wayland is reported to work, but I don’t know about portals, pipewire, d-bus and a lot more standards. It feels like fighting windmills while on Android this is standard, just like full SELinux confinement.
Workarounds with less change
The Linux desktop seems to go in this vague direction of user namespaces, containers and isolation through that.
So would it make sense to mount $HOME/.local
separately and executable, and only allow a few binaries to execute it’s contents?
This could then restrict exec
permissions to flatpak, qemu, podman and we could call it a day. Some development things would be broken, so UX of working in VMs should be improved instead of opening up systems.
These are just my thoughts. Is something like that possible?
Also note secureblue’s approach to only allow user namespace creation to a few allowlisted binaries that run SELinux confined. This is likely very different though.