What would be THE answer to non-VM compartmentalization-based desktop linux security?

[ple1n]

I recently settled for opensnitch which seems to be the optimal choice in class.

• It suits desktop use
• It has a GUI, and prompts the user for adjusting configuration.
• What it does is clear and intuitive to me, without reading docs, or becoming an expert in the field. Thanks that networking is simpler and it shows the grand picture in GUI.
• Its behavior matches an average user's expectation. It does/should not have hidden traps that undermine security.

I don't have a clear idea what the state of the issue is. It seems firejail/apparmor have obscure docs, or they are not intended for average/sane users, maybe as the basis for more friendly wrappers. Flatpak/bubblewrap currently doesn't support Netns (so personally I use firejail to sandbox firefox, in a proxied netns).

I am baffled by the current state of things, everything around this compartmentalization problem and that it is a giant mess. They are all incomplete and full of traps. They don't assure me of any security. I could use my own scripts to get it work somehow but these are hacks, since I don't have enough domain knowledge. I can not convince myself that I am secure. My point is that an ideal solution of the problem would assure the user through GUI, ie. by showing all possible ways an application may interact with the system in a dialog, like the editing window of a firewall rule, but for filesystem, syscalls and other things I don't even know. I have no idea what apparmor/firejail is actually doing, what an application can access and what it can't.

edit: just read about the video-player-fetching-metadata issue. the user doesn't expect that a video player fetches metadata, while he expects the browser to make requests. then, the video player's behavior is out of the expectation. the user should be prompted whether that is allowed.

If the user has configured the browser to use proxies, it will be unexpected that the browser still queries DNS without being proxied.
(firefox does it and its hard to get it right). If the user installs firejail/bwrap/vpn, it is already unexpected that a software violates privacy.

[kmk3]

Relates to:

• Does firejail improve the security of my system? thoughts by @rusty-snake #4601

[rusty-snake]

FTR: igo95862/bubblejail#50

[kmk3]

(Offtopic)

FTR: igo95862/bubblejail#50

@planetoryd

If you are going to start the exact same discussion in multiple places, at
least make sure that they all link to each other.

This could save different people from saying the same thing in different
threads and wasting their time. It would also make it easier to expand on
existing points.

[topimiettinen]

OpenSnitch is just a firewall, though pretty cool, especially UI. I think THE answer would be to integrate Firejail with it (or just the UI), so that in addition to network/DNS firewalling, all application sandboxing features like file system namespaces, capabilities and seccomp could be configured in one place. I suppose OpenSnitch in turn would benefit form Firejail's huge set of profiles if fully integrated.