I'm about to install bazzite on my wife's older (2017) Windows 10 machine, and I've been going over how to recreate everything she currently has. Most programs (even proprietary ones) are not an issue, but I'm not finding much in the antivirus department.
I never even thought to install one on my Linux machine (also on bazzite, but I have used other distros in the past). So although I am no stranger to Linux, this issue blindsided me.
I know clamav exists, and I'm educating myself on how to use it, but a GUI would be nice for the wife. She's not afraid of the terminal, but she likes the convenience of GUI programs.
Any suggestions? What do you use? Or is it just generally accepted that one should be careful and keep things up-to-date and that's enough?
There is no such thing as a suid fuse2, you are talking about suid
fusermount, andlibfuse2which hasn't been true for 3 years the runtime is now static and doesn't depend on any libfuse (or any library) to work.And even back then it wasn't a hard dependency either, you could still run appimages by setting
APPIMAGE_EXTRACT_AND_RUN=1which makes them run without FUSE.The runtime still depends on a suid
fusermountinPATH(it checks all the way tofusermount99lol), however there is a much better runtime that does not FUSE to work at all since it can use mount namespaces instead.Meanwhile flatpak has a hard dependency on fusermount, it actually broke recently on ubuntu because they wanted to restrict access to fusermount.
web browsers (and electron apps) already have their own internal sandbox, which actually gets weakened by flatpak so it is actually not a good idea to be running those things with flatpak 1 2 3
firefox recently finally got a fork server in linux, which means it is possible to at least get the zypack hack working with it, no idea if it has been implemented yet though.
You also can sandbox appimages with bubblewrap, which is the very same sandbox flatpak uses, I wrote this tool used by AM for that.
Apps will also have access to the portals, although I don't like this and looks like there is no easy way to disable access to portals other than disable all access to dbus which is bad.
We already had an incident where someone thought there was a sandbox escape when it was just the app opening the portal xd
Yes, i understand that Flatpak weakens browser sandboxes, i was talking about the risk of a Flatpak which has access to user home and therefore could for example access $HOME/.firefox and steal session cookies.
Also I based my assessment of use FUSE2 for normal AppImages on the security hardening used by Secureblue, mentioned here under the section "Filling known security holes"
Okay that makes sense.
kek they got it wrong. Also:
Interesting, I wonder if they prevent executing the
ld-linux.soas well.There is two ways to preload libraries without having to modify the binary, the first is using
LD_PRELOAD, the second is less well known but you can run binaries by calling the dynamic linker first (internally this is actually how all dynamic binaries you execute work btw) and then use the--preloadflag to load a library.That is instead of:
you do:
I'm going to take a wild guess and assume the second is still possible in secureblue 👀
I just realized your comment shows a Cromite AppImage? Where do you get that from?
https://github.com/pkgforge-dev/Cromite-AppImage
I had heard of AM, and I actually stumbled upon your tool before. Thank you for the tool. I wish AppImage was updated to include sandboxing by default.
AppImage is just a format, nothing is stopping distros from adding a binfmt_misc rule that makes all appimages be sandboxed with any tool. (this also means you can set this up so that they get executed inside a flatpak env btw)