You are not logged in.
Whats the best way to achieve application security like MacOS, iOS, iPadOS or Android on Arch Linux? Currently any program I use has basically full control of over anything my user controls.
To give a bit more context, applications should start with very little permissions. If they want to do anything like the following, there should be a pop up to grant/deny the request:
- share/record screen
- access to microphone and webcam
- access to folders like downloads, a cloud drive (e.g. OneDrive, Dropbox, Proton Drive...), photo's...
- send notifications
- go fullscreen
- access location
I know about the mandatory access control (MAC), discretionary access control (DAC) and sandboxing applications described in https://wiki.archlinux.org/title/Security, but I've never managed to set up anything that comes even close to this granularity, easy UX and actually work.
Any ideas or experience with something similar on Arch Linux?
Offline
achieve application security like MacOS, iOS, iPadOS or Android
You mean isolating processes in sandboxes, that's not really a "security" feature, but see https://wiki.archlinux.org/title/Firejail
Online
Thanks Seth. Why do you not consider this a security feature?
I can give Firejail another try. Should I try to combine this with AppArmor?
Offline
Warning: Running untrusted code is never safe, sandboxing cannot change this.
Security isn't a thing, it's a mindset.
I get the colloquial expression, but running shadytooltotallynotabitcoinminerbelievemebro in a sandbox is not making anything "secure" and it's not good to think this way.
You cannot just tick a couple of checkboxes and that makes it then securererer.
Make sure to read https://wiki.archlinux.org/title/Fireja … or_support
Online