Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. It would be great if Elive integrates firejail to isolate processes.
I will try to play with it.
Is it for advanced users only or a normal person could use it ?
I am a former security consultant familiar with all that but was wondering if normal day to day people could use it without too much headaches
@ jfbourdeau anyone can use it by installing the firejail package but easier for advanced user. Suggesting that if firejail profile created for selected application by default it would help people who are unaware of online scams.
could firejail bloat the os with dependencies
new users would most likely need Firetools, it requires basic Qt4 or Qt5 application runtime libraries.
Easier isolation might be better achieved for newbies by offering a flatpak repos. but would require work since Flatpak is available in Debian from Stretch onwards.
This however can not only solve the isolation but could get newer packages into a more dated system
Elive had an amazing tool to isolate everything, wrote years ago but it never has been published due to minor stability issues, but it the end worked really good without bloat and without dependencies, it has been in the TODO since them, maybe is time to give it some love again
Actually this is becoming more interesting by now.
Flatpak and its family are walking fast forward.
May be a good idea to remind @Thanatermesis
on this issue (risk) (!?)
in a funny (no, not-funny) way, flatpak is ridiculously insecure
I said ridiculously because: it has a really nice structure to isolate things, it has controls of "what has access" and what not an application, the entire application is in a specific own directory, etc... in other words, it is really well designed... except for a simple extremely-stupid thing: all those controls are optional
what is the sense to create a packaging system very well designed on which applications are isolated and well controlled... if all those controls are "optional"? in other words: any kind of malware can run from a flatpak package, you should not trust any flatpak until this isolation is a requeriment in the packaging process and not an optional feature to enable
and btw, flatpak seems like to be the best "pack" system around
that's another thing but i will need time to revive this old tool