Thread: To amuse the community
View Single Post
wicket's Avatar
wicket is offline wicket
2019-03-07 , 15:53
Posts: 634 | Thanked: 3,266 times | Joined on May 2010 @ Colombia
#34
Originally Posted by Maemish View Post
I'm trying to use this browser only for two services, using chrome data saver (the two services are already a compromize of privacy so chrome servers do not take away but give a certain amount of security add) and now trying to find right settings for firejail sanedbox which I installed from the jessie-backports. So no intention of using this to anything else than visiting/using two sites. And yes, the privacy matters in linux are not my best area. I just to use subgraph to secure my self but it was too difficult to mess around cause everything was behind something I didn't understand so here I am. Learning. Chmoding and chowing are things I just now learning not yet knowing exactly what they do. Now I have though learned that they do open many places and that I do not want. Trial and error.
I have to applaud you for experimenting, it's the best way to learn. I'm glad you found and are using Firejail, it's a great little tool that not many know about and will certainly help in securing your apps, but it may not help if you're making general usage mistakes. It's interesting to see that you're using Subgraph OS too, which uses a sandboxing system called Oz, somewhat similar to Firejail. It's fundamentally flawed as users must declare beforehand which apps/programs they want to be sandboxed, it's implemented entirely in userspace and relies on a daemon. Both of these tools actually inspired my Master's thesis. I wanted a something that sandboxes processes with namespaces and seccomp automatically and couldn't be circumvented by taking down a daemon. So I took a Linux kernel with grsecurity and I modified the execve system call to sandbox all spawned processes. I then modified grsecurity's RBAC tool to allow whitelist system call and namespace policies to be applied. It was pretty much a proof of concept but it mostly worked.
__________________
DebiaN900 - Native Debian on the N900. Deprecated in favour of Maemo Leste.

Maemo Leste for N950 and N9 (currently broken).
Devuan for N950 and N9.

Mobile devices with mainline Linux support - Help needed with documentation.

"Those who do not understand Unix are condemned to reinvent it, poorly." - Henry Spencer
Last edited by wicket; 2019-03-07 at 16:05.
 

The Following 5 Users Say Thank You to wicket For This Useful Post: