You are not logged in.

#1 2024-09-22 13:45:25

Captain Athelas
Member
Registered: 2020-05-15
Posts: 37

Best way achieve to achieve application security like other OSes?

Whats the best way to achieve application security like MacOS, iOS, iPadOS or Android on Arch Linux? Currently any program I use has basically full control of over anything my user controls.

To give a bit more context, applications should start with very little permissions. If they want to do anything like the following, there should be a pop up to grant/deny the request:

- share/record screen
- access to microphone and webcam
- access to folders like downloads, a cloud drive (e.g. OneDrive, Dropbox, Proton Drive...), photo's...
- send notifications
- go fullscreen
- access location

I know about the mandatory access control (MAC), discretionary access control (DAC) and sandboxing applications described in https://wiki.archlinux.org/title/Security, but I've never managed to set up anything that comes even close to this granularity, easy UX and actually work.

Any ideas or experience with something similar on Arch Linux?

Offline

#2 2024-09-22 13:53:21

seth
Member
Registered: 2012-09-03
Posts: 57,184

Re: Best way achieve to achieve application security like other OSes?

achieve application security like MacOS, iOS, iPadOS or Android

You mean isolating processes in sandboxes, that's not really a "security" feature, but see https://wiki.archlinux.org/title/Firejail

Online

#3 2024-09-22 14:04:43

Captain Athelas
Member
Registered: 2020-05-15
Posts: 37

Re: Best way achieve to achieve application security like other OSes?

Thanks Seth. Why do you not consider this a security feature?

I can give Firejail another try. Should I try to combine this with AppArmor?

Offline

#4 2024-09-22 14:23:07

seth
Member
Registered: 2012-09-03
Posts: 57,184

Re: Best way achieve to achieve application security like other OSes?

https://wiki.archlinux.org/title/Firejail wrote:

Warning: Running untrusted code is never safe, sandboxing cannot change this.

Security isn't a thing, it's a mindset.
I get the colloquial expression, but running shadytooltotallynotabitcoinminerbelievemebro in a sandbox is not making anything "secure" and it's not good to think this way.
You cannot just tick a couple of checkboxes and that makes it then securererer.

Make sure to read https://wiki.archlinux.org/title/Fireja … or_support

Online

Board footer

Powered by FluxBB