Linux desktop sandboxing for dummies?

DeletedGravy

I'm yet another absolute rookie trying to pursue some sort of tricky balance of everyday privacy, security, and simplifying my digital footprint for both my mental health and peace of mind (those are contextually distinct, right? lol), understanding that nothing is one-size-fits-all. I have Graphene/Pixel and Pop!_OS/System76, for phone and home/school computer, respectively, tangibly on my very imminent horizon (next few weeks).

I've done my best to gather what I can from official info sources, this forum, and scattered tidbits on the web, and in many ways I remain lost. Given that I do not want to spend every waking hour of every day for months and months focused on just making stuff work to get started (not my line of work, not my idea of a fun hobby; I just really greatly value privacy and have to live/work in this era), I'd really love to know if any of y'all have insights into the methods people discuss for sandboxing apps in a desktop Linux distro like Pop. Is anyone willing to chime in and explain it to me like I'm five? Thanks a ton in advance.

Johnnyloans

Sandboxing isn't a switch to flip on for your set up.

You could sandbox as much as you can with QubesOS to separate your apps, devices, and files.
It sounds nice to keep anything from reading your files... But then your text editor can't access documents.
Your microphone and webcam can't be used with an app until you fidget around.

Also, this heavily depends on the IOMMU groups of your motherboard.

DeletedGravy Given that I do not want to spend every waking hour of every day for months and months focused on just making stuff work to get started

I'd stick to the set up you're comfortable with now.
Installing software via Flatpak and snap is a sandbox. (Don't install your browser this way). I would personally stick with apt.

Apps installed via snap/flatpak could just request all devices, access to system files or home. With that, what is the point?

Security/privacy and convenience is often a trade-off.

Blank

DeletedGravy maybe you can give a try to Fedora Atomic desktop. Although these OS aren't made for security reasons. I figured out it might serve this purposes as well. Fedora atomic are made to have an unbreakable (not unhackable) system. Root files are in read only mode. You're supposed to install apps with flatpak or container (toolbox). You can still install apps at system based (by layering) but you can rollback whenever something goes wrong with your system.

Also when installing services with layering they won't start automatically (unless you enable it manually). So it might prevent some shaddy services running at boot from a package you have layered.

edginess518

You can use Firejail or install apps from Flatpak for sandboxing, but what you probably want is Qubes OS.
Qubes is actually not Linux but a Zen Hypervisor that runs Linux or Windows virtual machines. Everything you want to isolate/sandbox you run in its own VM, but this ofc requires a lot of RAM (bad timing with prices).

DeletedGravy

First off, thank y'all for the answers. I do greatly appreciate it.

edginess518 , admittedly, I probably do not want Qubes. I think that's likely above my pay grade, and probably the kind of commitment that neither I nor my pretty tame use case are suited for (I suspect).

Johnnyloans , I was seeing all that about Flatpak, but I don't yet speak Linux, so I was absolutely getting confused (before asking here), and since people who know more about privacy than I do have very varied opinions, I got bogged down in seeing the quibbling over sandboxing in Linux. I took another gander and it's starting to make sense... sort of.
Why do you discourage Flatpak for browser? Am I reading you correctly that you're discouraging Flatpak generally? I'm not sure I'm following this:

Johnnyloans Apps installed via snap/flatpak could just request all devices, access to system files or home. With that, what is the point?

You're saying Flatpak apps can request permissions, so there's no point? Does Flatpak not add a convenient-enough layer of extra security to prevent apps from talking to each other?

Blank

edginess518 QubesOs is the best operating system for security out there. Nonetheless I suppose it's what he seeks since this operating system is aimed for users who have some technical knowledge. Maybe he would be overwhelmed ?

NoahRaketic

DeletedGravy Why do you discourage Flatpak for browser?

Browsers should not be installed as flatpaks because they don't allow important security features (namely namespaces). This significantly weakens the process isolation of both Firefox and Chromium, making successful exploits much more likely. This issue is unique to browsers; most other apps' security features are not broken by flatpak.

DeletedGravy You're saying Flatpak apps can request permissions, so there's no point? Does Flatpak not add a convenient-enough layer of extra security to prevent apps from talking to each other?

The problem is that permissions requested by apps are automatically granted on install/update. If an app requests broad permissions (I.e., full filesystem access, acquiring arbitrary permissions), then the sandbox is broken, and the app can do anything that an unsandboxed app can. This can be overrided with something like flatseal, but that will have to be checked manually for every app to ensure no dangerous permissions have been granted.

Johnnyloans

Noah answered your other questions.

DeletedGravy Am I reading you correctly that you're discouraging Flatpak generally?

It's personal preference for me. I'm sure flatpaks are finie. I already know how to use apt, dnf, and pacman. The software center (app store) in system76 provides flatpaks and native apt packages. It's all the same to click install or update from there.

For me, I'm not changing something that isn't broken. Don't want to risk/bother with file access or my dark theme not applying to all flatpak apps.

DeletedGravy Does Flatpak not add a convenient-enough layer of extra security to prevent apps from talking to each other?

I personally wouldn't be worried about this. Flatpaks can still communicate over Dbus to talk to other apps. Most apps are open source and not nefarious. If you're worried about microsoft software or something, go ahead.

At the end of the day, do whatever helps you sleep at night.

edginess518

The only way to not worry is to just use Qubes OS

NoahRaketic

edginess518 The only way to not worry is to just use Qubes OS

You absolutely have to be aware of threats on Qubes OS. Each Linux guest in Qubes OS has a massive attack surface on its own, especially in the default configuration. Effective usage necessitates a user with an understanding of concepts like virtualization and exploits, and the discipline to consistently make use of disposable Qubes for handling untrusted content.

ChromeOS, Android, and iOS allow a more "set it and forget it" approach to security, if that's what you mean by "not [having to] worry". Otherwise, you should be precise about what guarantees Qubes OS does and does not provide. It's not the silver bullet for security you might think it is.

DeletedGravy

I'm probably asking the wrong question, then. Maybe I should just ask:

What's reasonable beginner Linux security? Are there glaring "you should definitely do this" things beyond the default settings and generally being mindful and attentive? Again, low-threat threat model.
Is App Armor useful? It's probably there by default in Pop because it's based on Ubuntu, or no?
Is the disabled IME System76 has for their Intel machines worthwhile? What, then, about the AMD ones?
Is all of this just fluff I can ignore, for now, and I can just use a healthy dose of caution and common sense with mainstream run-of-the-mill software?

Y'all's insights have been helpful, thanks.

pixelfairy

DeletedGravy

First thing is to set up incremental offline backups. Your just starting to learn, your going to make mistakes and reinstall the os. Might as well make experimentation as painless as possible. https://support.system76.com/articles/backup-files/ Of course, also make at least 2 installers for the OS. The system 76 team is great and will help you. If you haven't seen it yet, they have a forum for pop-os too. https://chat.pop-os.org/landing#/login

Virtual machines are your friend. You can use them to compartmentalize for both security and organization, and to experiment. Look up boxes and virt-manager in the app store. Boxes is made to be beginner friendly, so you should start there. Theres lot of hypervisors (virtualization software). These are just two front ends to the best one.

You probably don't want to backup the virtual machines themselves, just the files you use. From there, learn how the system works. Vms can be re created and take up a lot of space on your backups. It only takes a few clicks to update and install whatever apps that vm needs. If you get into the command line, you can script and automate all that.

App Armor can be useful. And yes, its there from Ubuntu, and already on by default. Though its permissions can be pretty lax. With System76, its best to go with their recommendations on anything in the bios. Should be safe to turn off IME. You can turn it back on if need be.

Yes, you can ignore that stuff for now. You'll learn how to use them. If you want to look up apparmor, also look up ACLs and selinux. Like everything else, you can safely and freely experiment with them in virtual machines.

A phone running graphene-os more secure than any desktop not running qubes-os. (To anyone who wants to @ me, yes, this is a very general statement) A password manager (i recommend keepassdx) running on your phone is more secure than one running on your desktop. A keyboard plugged into your phone will help you type your long keepassdx passphrase. See xkcd/936 but note that they're talking time to access passwords that are rate limited by the server. You want 10 words (128 bits of entropy) for cryptographic passphrases like your keypass db. Conveniently, keypass can generate passphrases with as many words as you want. You'll probably want to write that down, encoded if you can deal with that, and then shred that paper when you've memorized it. Get used to memorizing long passphrases.

NoahRaketic

DeletedGravy Is the disabled IME System76 has for their Intel machines worthwhile? What, then, about the AMD ones?

If you're using an Intel computer, you should not disable Intel ME, it will cripple the security of your computer. It's not a backdoor and handles very important security features.

Johnnyloans

DeletedGravy Is the disabled IME System76 has for their Intel machines worthwhile? What, then, about the AMD ones?

Yes disable it. The built in disable was made for the government and NSA. (Security focused)
It'll still verify UEFI on boot. Disabling actually lowers your attack surface by kneecapping its network capabilities.

@NoahRaketic

pixelfairy

Also, lookup secureblue. Which you can run in a vm. Its a linux desktop meant to be secure. Everything above still applies.

NoahRaketic

Johnnyloans It absolutely should not be disabled. You are giving blatant, harmful misinformation and spreading FUD.

Yes, it is unfortunate how it was designed, but it handles very important security features as mentioned. https://en.wikipedia.org/wiki/Intel_Management_Engine

NoahRaketic

Johnnyloans Note that this toggle is designed for "specialized environments" specifically. It's not meant for general-purpose computing.

Johnnyloans It'll still verify UEFI on boot.

Whether the system still can verify UEFI depends on the implementation, including whether it's using that official "HAP" bit. Using this bit asks ME to disable itself after the boot process. Using me_cleaner without the soft-disable flag prevents BootGuard from being able to verify the UEFI on boot. Most implementations use alternative, open-source firmware and are incompatible with BootGuard even when this method of disabling ME is used. You are entirely relying on the UEFI not to get compromised as well as its update mechanisms to prevent tampering (which have had vulnerabilities affecting many users in the past). The chance of an average user getting compromised via an attack on UEFI firmware is more likely than attacks on ME.

Disabling ME also entirely loses fTPM functionality, with the main alternative on Intel computers being using a discrete TPM, which has a number of inherent physical security problems.

Users that are afraid of ME should use an AMD computer with remote management features toggled off, instead of disabling ME on an Intel computer.

Johnnyloans Very few computers are capable of utilizing IME's boot guard. So it won't run even with IME enabled fully.

And this is a security issue on the computers that cannot use it.

I'm not pretending that desktop security is not a mess; it absolutely is a mess. But disabling ME cuts off an important defense-in-depth security feature for consumers and makes already insecure hardware less so.

Johnnyloans

NoahRaketic blatant, harmful misinformation and spreading FUD.

The original security researchers discovering the built in kill switch:

One of the fields, called "reserve_hap", drew our attention because there was a comment next to it: "High Assurance Platform (HAP) enable".
-https://web.archive.org/web/20170829052412/http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

HAP is the NSA's guidelines on running a secure environment.

Intel confirmed they added in IME disable to meet the USA government's strict security standards:

The bit was reportedly added at the request of the NSA for PCs running in highly secure environments. Intel did confirm the kill switch for ME, telling the researchers, "In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s 'High Assurance Platform'program.
-https://hothardware.com/news/researchers-figured-out-how-to-turn-off-intel-management-engine-11-thanks-to-nsa

Johnnyloans

Very few computers are capable of utilizing IME's boot guard. So it won't run even with IME enabled fully.

-https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Install_Guide/Disabling_the_Intel_Management_Engine#Prerequisites

Johnnyloans

NoahRaketic BootGuard

#1 requirement is the CPU must be integrated into the mobo. Almost no computers implement boot guard.

I was wrong about verifying uefi, OEMs don't care much about it.

NoahRaketic using a discrete TPM

This is more secure than a ftpm.

Physical security: no one on this forum will worry about government spies sanding off motherboard solder paste to MITM the TPM.

DeletedGravy

What's the story with AMD, then? I've heard there's not as straightforward or clear a way to accomplish what System76's approach to Intel is, but I don't know what I'm looking at or talking about. In both Intel and AMD cases, what are the tangible risks, realistically, for not disabling, in layperson's terms (explain it to me like I'm five, lol)

If the Intel ME disable feature should be avoided, or AMD is a better choice, with privacy in mind, then is Framework a solid alternative (especially with price in mind) to System76?

pixelfairy

Framework is a great choice! They don't advertise much about it, so heres the output of fwupdmgr security on one of their amd desktops. Its a good result, but the firmware is closed source. You can read about the output at https://fwupd.org/

$ fwupdmgr security
Host Security ID: HSI:3! (v2.0.12)

HSI-1
✔ SMM locked down:               Locked
✔ BIOS firmware updates:         Enabled
✔ Fused platform:                Locked
✔ Supported CPU:                 Valid
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled

HSI-2
✔ SPI write protection:          Enabled
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✔ TPM PCR0 reconstruction:       Valid

HSI-3
✔ SPI replay protection:         Enabled
✔ CET Platform:                  Supported
✔ Pre-boot DMA protection:       Enabled
✔ Suspend-to-idle:               Enabled
✔ Suspend-to-ram:                Disabled

HSI-4
✔ Processor rollback protection: Enabled
✔ SMAP:                          Enabled
✘ Encrypted RAM:                 Not supported

Runtime Suffix -!
✔ CET OS Support:                Supported
✔ fwupd plugins:                 Untainted
✔ Linux swap:                    Encrypted
✔ UEFI db:                       Valid
✘ Linux kernel lockdown:         Disabled
✘ Linux kernel:                  Tainted

This system has HSI runtime issues.
» https://fwupd.github.io/hsi.html#hsi-runtime-suffix

Johnnyloans

pixelfairy

Thank you.

How did you do the collapsible details menu? I only know of the HTML method and failed to get it to work here.

DeletedGravy

pixelfairy Thank you, this looks like a treasure trove of information, and I indeed have now gone and looked at their User Host Security Reports, but this is entirely terribly over my head. It appears Framework performs a lot better in this than System76, though I can't make heads or tails of the specific implications. I'm really not sure what to do with this, from here, and if I should just give up and switch to planning to order Framework, instead. I know people have made a stink about them not using coreboot.