App security on the Librem 5

What is the plan to secure the installed apps? E.g. preventing my music app to send all my photos to the imternet.

Is there a plan to use something like firejail or apparmor?
Or will purism use their appstore in combination with flatpak? Who would verify the flatpaks?

Is the main goal to have something like on Android where you can grant/decline permissions for each app individually?

I saw apparmor running on the Librem5 phone earlier today.

I did not looked deeper into it’s config.

1 Like

The number 1 thing is free and open source apps. If the app itself doesn’t want to compromise your data, you don’t have to rely on a sandbox keeping it from doing so.

If an app doesn’t want to, but has a security hole that allows data exfiltration wouldn’t a sandbox be a good thing?

FLOSS doesn’t mean without bugs.


Absolutely. Defence in depth is a good thing. That applies on a desktop too, of course. My point is simply that there’s no reason to worry more about it on a phone than on a desktop or laptop. About the only significant security difference is a phone is easier to steal, and is more likely to be left unattended for someone to try to do bad things with it in place. Firejail and the like doesn’t hugely help with that. Also, firejail can pose security problems for things run not inside a firejail sandbox (the assumption is the users who can run firejail are trusted).


Purism is focused on using Flatpaks for their apps for PureOS/Librem 5. A “Flatpak (formerly xdg-app) is software that is advertised as having a sandbox environment in which users can run application software in isolation from the rest of the system. Applications using Flatpak need permissions to have access to Bluetooth, sound (with PulseAudio), network, files, etc., permissions that are defined by the maintainer of the Flatpak and can be controlled (added or removed) by users on their system.” That along with AppArmor “(“Application Armor”) is a Linux kernel security module that allows the system administrator to restrict programs’ capabilities with per-program profiles.” This already starts to give you a good idea of where some of the security is within the OS.


What about firewall? i find it usefull, is it possible to install gufw?

Correction apparmor is not running :frowning: hehe sorry I must have seen that with cross eyes.

1 Like

That would be something I would like to see as default.

Have you figured out why apparmor is not running, maybe a configuration issue?

@Seven I can look

here is current state

â—Ź apparmor.service - Load AppArmor profiles
Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Fri 2020-01-03 10:55:42 EST; 3s ago
└─ ConditionSecurity=apparmor was not met
Docs: man:apparmor(7)
Jan 03 07:51:22 pietro systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.
Jan 03 10:55:42 pietro systemd[1]: Condition check resulted in Load AppArmor profiles being skipped.

Looks like the kernel miss the cmd line option security=apparmor

Apparmor will be enabled by default in the Librem 5 in a upcoming software update.


Linux defaults to pretty much not listening on any ports. If you need to listen on ports, but only for certain IPs, or block outgoing traffic, the built-in firewall is excellent. There are numerous frontends for it. I use fail2ban, which can detect bad actors via logfiles, and ban them from any connection.

Currently iptables does not work out of the box on Librem5 chestnut phone with PureOS.

root@pietro:~# uname -r
root@pietro:~# iptables -L -n -v
iptables: Operation not supported.

I had to modprobe iptable_filter then iptable said that I have to use iptables_legacy

1 Like

The current tendency is to move to netfilter from iptables so try instead
nft -j list ruleset
that wouldn’t work with failt2ban obviously (one of the reasons I’ve stopped using it).

[root@trx ~]# nft list ruleset
[root@trx ~]# nft add table inet fw
[root@trx ~]# nft add chain inet fw cin { type filter hook input priority 10\; }
[root@trx ~]# nft add rule inet fw cin ct state established,related counter accept
[root@trx ~]# nft add rule inet fw cin counter drop
[root@trx ~]# nft list ruleset
table inet fw {
	chain cin {
		type filter hook input priority filter + 10; policy accept;
		ct state established,related counter packets 5 bytes 714 accept
		counter packets 0 bytes 0 drop
[root@trx ~]# nft flush ruleset
[root@trx ~]# nft list ruleset
[root@trx ~]#
1 Like

I was told in the matrix chat room that there will be no firewall by default (as there are no open and listening ports by default) but that installing ufw or anything with a GUI wouuld easily be possible.

Fail2ban is written in python. It just uses os.system to add and remove rules. Porting it to use nft would be an hours work at most.

Probably the librem5 do will not have open ports by default but some apps could be and as security and privacy minded smartphone i think a firewall by default is pretty mandatory, i hope someone will adapt gufw for it

Yes, I even did that. But after certain update it stopped working so I just trashed that out after analyzing logs and seeing it actually didn’t provide much improvement, merely suppressed app logs (nginx and postfix).