Tweet
I think containerization is a great way to protect a system, but this seems way too “experimental research project” to ship on a major OS. As someone else stated, libraries being neglected with security issues seems likely. Even IF attackers don’t get filesystem access or for malware, it could still allow for system resources to be used potentially for things like mining or ddos attempts and the like.
-
-
I need GNOME about as much as I need a hole in the head. In fact, I specifically wrote a blog post titled "Fixing Applications Which Resist Feeling Platform-Native" about how to force applications like Firefox (XUL/HTML) and Inkscape (GTK3) to feel less alien on a KDE desktop as both groups of addle-minded designers drift further into their own little bubble of special little design snowflake-ness, thinking that will get them more market share. (My blog post also includes links to several other posts about the decline of Linux UI/UX design.)Originally posted by qarium View Post
So far, I've got instructions for Firefox, Thunderbird, GTK 3/4, Ttk, Wine, and Web Apps.
Even in the GNOME 2.x era, when I gave GNOME a shot before returning to KDE 3.5, it was annoying how much work I had to do to disable things like spatial navigation, install themes like Clearlooks Compact, etc.
As much as I love GIR (GObject Introspection, their IDL) and their interest in Rust, I do not share their UI design sensibilities. I'm also not a fan of how terribly GNOME handles with being run inside VirtualBox when I need to test the compatibility of a change to my QuickTile tool, and I'm not a fan of Mutter's creaky architecture in general.
KDE, by contrast, is leading the charge on crash recovery support for Wayland compositors (something I consider non-negotiable if I'm going to switch to Wayland) which the GNOME devs seem disinterested in. (I don't care what DE you champion. I've never seen a compositor that can run for several months straight without starting to lose its mind.)Last edited by ssokolow; 25 August 2023, 11:58 PM.Comment
-
If that's true, it sounds like something they should fix.Originally posted by Malsabku View Post
Silverblue and Flatpak both use OSTree as the underlying "git for your OS" layer, and OSTree already does automatic deduplication within a scope, so all it should take to avoid the duplication between at least the base system and the Fedora Flatpak libs is to ensure the same library versions are used and patch whatever is necessary to ensure that OSTree sees the base system and the Fedora flatpak libs as being backed by the same scope.Comment
-
Or, if you don't want a buzzword-y, monolithic solution, it's called "ostree for the immutable/atomic updates and systemd for the sandboxing", as is used by things like Fedora Silverblue.Originally posted by oleid View Post
Here's the systemd unit file for a little daemon I wrote:
...and the socket-activation file that allows it to not need access to network-related syscalls:Code:[Unit] Description=Server to allow my fan to be turned off remotely After=network.target Wants=network.target # NOTE: Remember to check this file after making changes: # sudo ./install.sh; systemd-analyze security fan_remote.service [Service] Type=simple ExecStart=/usr/local/bin/fan_remote -F2 BindPaths=/dev/ttyS0 BindReadOnlyPaths=/usr/local/bin/fan_remote CapabilityBoundingSet= CPUQuota=20% DevicePolicy=closed DeviceAllow=/dev/ttyS0 DynamicUser=yes Environment= ExecPaths=/bin /usr/bin /usr/local/bin IPAddressDeny=any KeyringMode=private LockPersonality=yes MemoryDenyWriteExecute=yes MemoryMax=512M Nice=10 NoExecPaths=/ NoNewPrivileges=yes PassEnvironment= PrivateDevices=yes PrivateIPC=yes ProcSubset=pid ProtectProc=invisible PrivateMounts=yes PrivateNetwork=yes PrivateTmp=yes PrivateUsers=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict ReadOnlyPaths=/usr/bin/br ReadOnlyDirectories=/usr RemoveIPC=yes RestrictAddressFamilies=none RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SocketBindDeny=any SupplementaryGroups=dialout SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service SystemCallFilter=~@chown @privileged @resources @setuid StandardOutput=journal TemporaryFileSystem=/usr/local:ro /usr/local/bin:ro UMask=0077 # All irrelevant paths not covered by Private* options that the FHS says we # should be able to rely on existing (systemd will error out if one doesn't) InaccessiblePaths=/boot /etc /media /mnt /opt /run /sbin /srv /usr/include /usr/libexec /usr/sbin /usr/share /usr/src /var # Remaining `systemd-analyze security` concerns: # - DeviceAllow=/dev/ttyS0 is needed to access X10 # - SupplementaryGroups=dialout is needed to access X10 # - RootDirectory/RootImage would require building a containerized image # for /usr/bin/br to access X10. # - I have no idea why ProtectClock is being reported as not set [Install] WantedBy=multi-user.target
...and that's without OSTree. You can get Appimage-like behaviour out of systemd just by using RootImage= and, if someone had written a Rust library to talk to the X10 Firecracker dongle so I didn't need to rely on /usr/bin/br, I'd be doing that since Rust and Go both make it so easy to depend only on the Linux kernel syscall ABI and nothing else. (For Rust, just make sure you're not depending on an C libraries, rustup target add x86_64-unknown-linux-musl, and then use --target=x86_64-unknown-linux-musl when you're building your binary to statically link a copy of libc.)Code:[Socket] ListenStream=23734 [Install] WantedBy=sockets.target
EDIT: ...and it produces this systemd-analyze security fan_remote output. (Tip: If pasting preformatted whitespace requires using the DOM inspector, maybe your paste code is broken.)
Code:NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has no access to the host's network ✓ User=/DynamicUser= Service runs under a transient non-root user identity ✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities ✓ RestrictAddressFamilies=~AF_(INET|INET6) Service cannot allocate Internet sockets ✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces ✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets ✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities ✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks ✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges ✓ CapabilityBoundingSet=~CAP_RAWIO Service has no raw I/O access ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✓ IPAddressDeny= Service blocks all IP address ranges ✓ KeyringMode= Service doesn't share key material with other services ✓ NoNewPrivileges= Service processes cannot acquire new privileges ✓ NotifyAccess= Service child processes cannot alter service state ✓ PrivateDevices= Service has no access to hardware devices ✓ PrivateMounts= Service cannot install system mounts ✓ PrivateTmp= Service has no access to other software's temporary files ✓ PrivateUsers= Service does not have access to other users ✗ ProtectClock= Service may write to the hardware clock or system clock 0.2 ✓ ProtectControlGroups= Service cannot modify the control group file system ✓ ProtectHome= Service has no access to home directories ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer ✓ ProtectKernelModules= Service cannot load or read kernel modules ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets ✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted ✓ SystemCallArchitectures= Service may execute system calls only with native ABI ✓ SystemCallFilter=~@clock System call whitelist defined for service, and @clock is not included ✓ SystemCallFilter=~@debug System call whitelist defined for service, and @debug is not included ✓ SystemCallFilter=~@module System call whitelist defined for service, and @module is not included ✓ SystemCallFilter=~@mount System call whitelist defined for service, and @mount is not included ✓ SystemCallFilter=~@raw-io System call whitelist defined for service, and @raw-io is not included ✓ SystemCallFilter=~@reboot System call whitelist defined for service, and @reboot is not included ✓ SystemCallFilter=~@swap System call whitelist defined for service, and @swap is not included ✓ SystemCallFilter=~@privileged System call whitelist defined for service, and @privileged is not included ✓ SystemCallFilter=~@resources System call whitelist defined for service, and @resources is not included ✓ AmbientCapabilities= Service process does not receive ambient capabilities ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access ✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging ✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters ✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespaces ✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces ✓ RestrictNamespaces=~CLONE_NEWNET Service cannot create network namespaces ✓ RestrictNamespaces=~CLONE_NEWNS Service cannot create file system namespaces ✓ RestrictNamespaces=~CLONE_NEWPID Service cannot create process namespaces ✓ RestrictRealtime= Service realtime scheduling access is restricted ✓ SystemCallFilter=~@cpu-emulation System call whitelist defined for service, and @cpu-emulation is not included ✓ SystemCallFilter=~@obsolete System call whitelist defined for service, and @obsolete is not included ✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sockets ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ SupplementaryGroups= Service runs with supplementary groups 0.1 ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() ✓ Delegate= Service does not maintain its own delegated control group subtree ✓ LockPersonality= Service cannot change ABI personality ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings ✓ RemoveIPC= Service user cannot leave SysV IPC objects around ✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname namespaces ✓ UMask= Files created by service are accessible only by service's own user by default ✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable ✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() ✓ ProtectHostname= Service cannot change system host/domainname ✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() ✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system ✓ RestrictAddressFamilies=~AF_UNIX Service cannot allocate local sockets → Overall exposure level for fan_remote.service: 0.4 SAFE 😀
Last edited by ssokolow; 26 August 2023, 01:20 AM.Comment
-
Why are you even commenting when everything you say is absolutely wrong and backwards. Ubuntu can package its software in any way it wants and that has nothing to do with vendor lock-ins.Originally posted by caligula View Post
It's as if you're calling all package repositories "vendor lock-in" because only a single distro (in general) can use that particular repository. No. The only way snaps could be a vendor lock-in mechanism was if CUPS developers themselves only distributed CUPS via snaps, which they obviously don't.
Distros are free to package their software in any way they want. Those decisions will only affect their own distro, not the others.Comment
-
hi there... i don't suppose there are any examples (that we can find up on github or somewhere?), for how to do this sort of systemd sandboxed services is there? seems pretty interesting!Originally posted by ssokolow View Post
sorry i know you just copy pasted into the thread here. i would just appreciate a more permanment reference. that would be easier to find again later. for example in some documentation, or other in-repo code example. many thanks.Comment
-
well i suppose the more relevant question to be asking here (for us distro users) is: how difficult would it be to switch over from modern ubuntu ---> to modern debian?Originally posted by curfew View Post
for example (if i remember) from last time, is it true that ppas don't work over in debian?
so exactly the amount of relative grief(s) existing users are being inficted upon. given their (much earlier) prior choice so many years before, to decide to go with ubuntu.
or perhaps here is a different question:
are there any so-called 'protest distros' coming out or to be maintained which replaces all the mandatory snaps with non-snap versions? for example learn linux (on youtube) gave such an example. but it's not really solidly supported. or could users instead consider switching to some other 'more serious' distros. such as vanilla os? (which btw is planning to drop ubuntu now, in favor of a debian base image).
so my feelings are this is where the discussion should be at. to evaluate more seriously the variety of different possible options that are available to us. and see what the relative pros/cons are.
another point is that over on windows there are de-clutter and 'fix windows' tools that cleans up the bad stuff in windows. so could there be enough reason for a similar tool to exist for ubuntu? that would include multiple 'selectable' tasks (including both the cups and firefox). the idea being that you can choose to either 'sort them out' or otherwise 'leave them alone' (as stock). and maybe even include some level of capability to reverse such changes. now: that might not be a permanent long term solution! but it could be a sort of short term one. to buy people a bit of extra time while trying to get off ubuntu for good.Comment
-
Im not sure you can describe breaking every print server installation on ubuntu and requiring everyone to refactor their setup from a universal linux setup to something very specific to ubuntu anything other than attempt at "vendor lock in"Originally posted by curfew View Post
Even if it wasnt intentional, which I doubt, the backlash of forcing every faculty and other large linux user to lock themselves into the snap fad is more likely to get them to switch to something like OEL9 than put the effort in to very ubuntu specific setup.Comment
-
What do I get from that?Originally posted by mcloud View Post
I agree with you. In my opinion the basic system should be completly based on APT if you are on an apt-based system.Originally posted by jeisom View Post
For sure, they gave me a billion every month.Originally posted by patrick1946 View Post
Why do you get the same problem as with traditional systems? I don't get that point. The coreXX snaps are still universal to every distro.
On the basic install of Fedora Silverblue only the base system libs + Fedora Flatpak libs are preinstalled, but if you install one app from Flathub (and 99.9% people do that), also the Flathub libs are getting installed.Originally posted by ssokolow View Post
Getting back on topic, it wouldn't even be technically possible to outsource CUPS to Flatpak let alone the Gnome Terminal or the Gnome System Monitor.
Comment
-
Linux Mint by default is a de-snapped Ubuntu. The catch is they only support 3 DEs natively, namely Cinnamon, MATE and Xfce. So for fans of Gnome 3+ or KDE, they are on their own. (Linux Mint has been some sort of "protest distro" since Gnome 2 was EOL.) Linux Mint users enjoy a well-integrated Flatpak infrastructure so that one can search and install Flatpak applications natively, so the removal of Snap is well compensated. Linux Mint also package their own Firefox and Chromium in pure .deb form while Ubuntu has migrated them to Snap-only.Originally posted by dreamcat4 View PostComment
Comment