My main query is regarding the Librem 5, but could be set for other purism devices. The goal being to isolate directories that are not needed to be talked to by applications. If I use firejail for Chatty for instance, the directories not needed for functionality could be separated from being interacted with if a malicious file or other exploit was utilized against Chatty or Calls.
2 Likes
I’m not sure I understand. Firejail is already offered in PureOS (version may be lagging a bit but still). There are profiles already for most common apps and they are easy to start (as in, firejail vlc in stead of vlc). Run firejail --list to see all the ready sandboxes. You can have the apps you want to firejail to have in their icon start commands firejail. You can already do all that. Not bad way to harden your system and if we ever get an L5 hardening guide (hint) it should be part of it.
Or do you mean that it would be set to most apps in PureOS install? There is the Landlock security module but apparently (according to that firejail git page) it’s still experimental, under development. Maybe not to Crimson at this point (unless it’s already worked on…?), but you could make a ticket for it for Dawn.
2 Likes
My thought was for mainly Chatty and Calls, to help isolate incoming connections to lessen the likelihood of attacks by bad actors.
1 Like
So I guess you need to be the change that you wish to see …
Install firejail on your Librem 5, develop or use a suitable profile, close the existing app (if running), (re-)run it via firejail, share your experience.
At first look, the existing profiles probably cover the most vulnerable applications. The more “input” from untrusted external parties, the more vulnerable an application. Web browsers must be right up there as vulnerable.
3 Likes
I may have a friend write test malware to throw at those endpoints I discussed so isolation can be tested. Reduce threat vector, and if the firejail profile works well for Chatty and Calls then maybe Purism can incorporate those findings.
2 Likes