> There's no security model for desktops that works well.
Don't you think that something which combines ideas from Firejail and Guix containers could be good enough?
For those who have not used Firejail, it is a sandbox that comes with default security profiles for most popular Linux binaries, so it's pretty unobtrusive. Say you want to run Firefox, Firejail limits access Firefox to ~/.mozilla and ~/Downloads by default. So, in case Firefox is compromised, attackers can't steal things from other $HOME directories like ~/.ssh.
On the other hand, Guix lets you launch ephemeral shells, like Nix, with any combination of packages. Unlike Nix, it provides a very convenient set of flags to sandbox the shell in terms of network, files, etc. This is handy for development tasks where you would like to have fine-grained capabilities.
Jails are fine and nice but always come in your way when you expect to do things as you would on a desktoo and you want a computer and not a software appliance like an iOS.
Just look at how many flatpaks are distributed with broad insecure access, how many workarounds have to be made with apps to work when reasonnably jailed, the presence of tools like flatseal.
Firejail uses "Linux container" technology (term?) which is not that secure. Better is using selinux to confine the browser, like Android and ChromeOS do.
(Fedora and Red Hat have selinux, too, but the focus is on server security: there is no attempt to confine browsers in the selinux rules that ship with Fedora and Red Hat.)
For me the interesting part of Firejail is the interface. bwrap is usually recommended as a replacement given that the binary is smaller and thus offers less attack surface, which I think is the usual concern. Firejail employs kernel user_namespaces, but also offers integration with AppArmor.
>On the other hand, when Telegram asks you to share all your contacts and images with it, people do.
This is where Android shines with storage and contacts scopes. You can share an empty scope with the app and it will stop bugging you, and have access to nothing!
Qubes has an excellent security model and should a top choice (if not _the_ top choice) for security-minded and technologically sophisticated users.
I used Qubes for a year or two, and then realized that my main use case was to isolated the browser, which to me was the greatest threat vector compared to everything else I use. Then I thought, if I just wanted a system with the browser isolated from my main Linux environment, wasn't that exactly what ChromeOS provided?
So I switched to ChromeOS and have stayed on it ever since.
The isolation in Qubes is much more reliable and flexible. I'm not even talking in Google's shady privacy practices. I'd never trust them with my OS or browser.
Seconded. Been daily driving it on ThinkPads now for something like two years. I will never go back, and one of the few things which might draw me off Qubes OS is if OpenBSD cleanroom reimplemented Qubes OS with their own OS and hypervisor. (OpenBSD because nobody beats their long term code quality and consistency.)
> quBSD is a FreeBSD jails/bhyve wrapper which implements a Qubes inspired containerization schema. Written in shell, based on zfs, and uses the underlying FreeBSD tools.
Not saying it'll do what you want, but the idea is out there...
> There's no security model for desktops that works well.
> Like another commenter said iOS has no legacy cruft and could deliver the security model that made sense.
Yeah I just was wondering about this. In the presentation also Seatbelt is mentioned, I thought this was considered deprecated legacy since years. IIRC the last time I checked for sandboxing I basically couldn't find anything recent for the Application level
https://news.ycombinator.com/item?id=37655477
There's no security model for desktops that works well.
Like another commenter said iOS has no legacy cruft and could deliver the security model that made sense.
On the other hand, when Telegram asks you to share all your contacts and images with it, people do.