Replied to Linux G. Fossman
Yes, I would love to see #sandboxing by default in #Debian and other Linux distributions!
Recent searches
Search options
Administered by:
#sandboxing
3 posts3 participants0 posts today
Replied to Debacle
@debacle @alatiera That's great - I love #Debian : ) I do wish, however, that #sandboxing native apps on Debian using #AppArmor was as #noobeasy* as using #flatpak apps with #Flatseal.
#noobeasy #noobsimple #newword #neword #did_i_just_invent_a_new_word?
Apple is still letting unverified media files reach decoders. That keeps an entire exploit surface alive.
Here’s a 2-layer validator model Apple could ship today—one that blocks malformed media before decoding ever begins. No decoder rewrites required.
https://medium.com/@jamweba/this-is-the-future-apple-should-already-be-shipping-<ID>
MediumMedium
Pydantic Releases Sandboxed Python Execution Server for AI Agents via Model Context Protocol
#AI #Pydantic #PydanticAI #MCP #ModelContextProtocol #Python #LLMs #AgenticAI #OpenSource #DevTools #Pyodide #Deno #Sandboxing #AISecurity #AIIntegration
Continued thread
Bubblejail:
https://github.com/igo95862/bubblejail (COPR for Fedora)
Fortify:
https://git.gensokyo.uk/security/fortify (installed with nix and home-manager, so best on NixOS)
Crabjail:
https://codeberg.org/crabjail
nsjail:
https://nsjail.dev
More:
https://codeberg.org/crabjail/crabjail#related-projects
All these sandbox normal system binaries. And there are many more sandboxing tools out there.
#Linux #Security #Sandboxing #Flatpak #Snap
2/2
GitHubGitHub - igo95862/bubblejail: Bubblewrap based sandboxing for desktop applicationsBubblewrap based sandboxing for desktop applications - igo95862/bubblejail
Pretty late, but comment to the #Snap and #Flatpak episodes:
My Flatpaks take up 30GB of space, after deduplication. A ton of outdated runtimes (badly maintained packages) and random stuff like #mpv or #ffmpeg shipped with apps instead of as a runtime extension are issues.
And no, you dont need to have an entire #distribution for #sandboxing. You can use #bubblejail and other new tools like #crabjail or #fortify.
For Flatpak and Snap, cross compatibility is 1st priority
1/2
Replied in thread
@bohwaz @punkfairie @ajsadauskas @JessTheUnstill @tomiahonen That's exactly the problem, cuz #KaiOS nee #FirefoxOS was a good and solid basis not just for #LowEnd-Devices but could've been excellent for a more #secure mobile OS, as it has good potential for #sandboxing and #KISS-principle'd #Apps that are lean and efficient.
But then again when enthusiasts like @fuchsiii and I were shouting "#ShutUpAndTakeMyMoney!" to #Mozilla, they basically refused to sell any #device, and then we get the "#PSvita-Effect":
- Noone's gonna build an #App for a platform that is essentially a rounding error from the start!…
I've seen #AppArmor used primarily to *harden* the security of an existing program. Is it also reasonable to use it to *sandbox* known-malicious code? Or are other methods required?
(I assume you also want ulimit or similar on the side, but that's to prevent resource consumption attacks rather than sandbox escapes.)
Continued thread
And, of course: start taking #security seriously!
Your #Android and #Flatpak app should not exist if they have broken #sandboxing.
Set priorities, and communicate them. You literally made #Rust, but never advertise when you use it.
Take the tech youtuber bubble as vector, just make something that is cool and you get the advertizing for free. Pay a few podcasters, done.
Continued thread
Btw #Libreoffice is really great, and the #Flatpak works really well.
but do you know about all the Integrations that rely on interactions between programs? Like #Kleopatra #Zotero #OLLama and many more
Those may be currently broken, not sure. Zotero especially doesn't even have distro packages, so using the Flatpak makes a lot of sense.
Replied in thread
Do you plan on doing more #SELinux hardening than #Fedora does?
Because how it is, SELinux on Fedora just makes #run0 a pain to use, while user processes are all unconfined, making it pretty pointless.
Or do you plan on making it user friendly?
There are many issues with #Flatpak that should be addressed. Alternatively, #UID #Sandboxing using #SimpleSandbox and SELinux could be used, which is way simpler and more secure, but relies on native packages
wiki.gentoo.orgSimple sandbox - Gentoo wiki
#Syd is a rock-solid application #kernel to sandbox applications on Linux>=5.19. Syd is similar to Bubblewrap, Firejail, GVisor, and minijail. As an application kernel it implements a subset of the Linux kernel interface in user space, intercepting system calls to provide strong isolation without the overhead of full virtualization. Syd is secure by default, and intends to provide a simple interface over various intricate #Linux #sandboxing mechanisms such as LandLock, Namespaces, Ptrace, and Seccomp-{BPF,Notify} https://gitlab.exherbo.org/sydbox/sydbox
GitLabSydbox / sydbox · GitLabrock-solid application kernel
Replied in thread
Finally! This will allow better process #sandboxing, and make the #flatpak and #android app finally an option?
bugzilla.mozilla.org1756236 - Figure out how to chroot/use namespace isolation in flatpakUNCONFIRMED (nobody) in Core - Security: Process Sandboxing. Last updated 2025-02-18.
Replied in thread
@ktn @ct_Magazin @heiseonline @jolla
Schon cool. Aber ist es auch annähernd so sicher?
#Android hat einen minimalen #Kernel, und Alternativen für alles mögliche wie glibc/bionic.
Auch der #SELinux support ist einzigartig, nichtmal #Fedora oder #RHEL verwenden SELinux wirklich start zum #sandboxing
Das läuft ohne #usernamespace.s mit separaten #UID.s, eine super simple #Unix-Funktion.
#Bluetooth ist isoliert. #USB-port (bei #GooglePixel mit #GrapheneOS) kann ich in der Hardware ausmachen
Replied in thread
@kde@floss.social @kde@lemmy.kde.social
For people interested, maybe #crabjail and #crablock can be a solution!
https://codeberg.org/crabjail/crablock
A #sandboxing tool written in #Rust, featuring " bleeding edge #Linux #security features like #Landlock or MDWE_REFUSE_EXEC_GAIN."
Codeberg.orgcrablockYet another Linux sandboxing tool.
Replied in thread
@kde@floss.social @kde@lemmy.kde.social
Can you tell us what happens on the "sandbox all the things" goal?
I think this is a pretty crucial step forward, even though #sandbox technologies (most often through user namespaces) are more problematic than I initially thought.
(Basically, user #namespaces open up #privesc dangers to the monolithic #kernel, which is incredible. #Android and #ChromeOS use #LXC, mounts and #SELinux for #sandboxing)
Application #sandboxing with #firejail in linux 
https://www.linuxnix.com/application-sandboxing-with-firejail-in-linux/
The Linux Juggernaut · Application Sandboxing with Firejail in Linux - The Linux JuggernautIf you have an untrusted application that needs to be run in your Linux system, you can use a sandbox to run the application in a limited environment. In this way you can use the untrusted application without worrying about the security of your system. Sandboxing with Firejail uses namespaces, SECCOMP, and kernel capabilities to […]
Replied in thread
@mit_scharf @lamp #jar files are #portable but in terms of #sandboxing I'm wary as that is an option but few JREs implement it properly as it would get often in the way.
@lamp Also that isn't that portable, or as portable as #BSDjails, #bhyve and other #sandboxing options...