Privacy

49063 readers

799 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

Does anyone use QubesOS as a daily driver? (www.qubes-os.org)

submitted 1 day ago* (last edited 1 day ago) by SleepyPie@lemmy.world to c/privacy@lemmy.ml

25 comments fedilink hide all child comments

With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?

Flatpacking is great but not all applications support it.

Is it too much of a hassle?

you are viewing a single comment's thread
view the rest of the comments

[–] jbloggs777@discuss.tchncs.de 4 points 1 day ago (1 children)

A couple of tricks I use:

an apparmor profile tied to a shell script that wraps other commands .. it restricts read & write access to a scratch directory ... perfect for builds or one off scripts.
iptables rules & cgroups to restrict network access.. I have a setuid wrapper that drops privs again..
bwrap and mounting only what's necessary... quick to get going.
custom landlock wrapper, similar to apparmor but allows for quick userspace wrapping.

They can be combined too.

[–] FineCoatMummy@sh.itjust.works 3 points 1 day ago

+1. May I add a few other help gizmos to that list?

firejail. Super easy one off sandboxing. I have a bunch of aliases like "firejail --some-params -- some-command-i-wanna-sandbox".
lxc. Middle weight sandboxing. Easy to get a console into it and have a whole OS env, which is nice sometimes. Much lighter than a KVM sandbox. But not quite as secure since it uses the same kernel. Super great to control network config for an app or group of similar apps. And easy to put a several related things into it that you wanna use all together. You can even use a separate VPN in each one.