I have been using firejail for most of these kind of applications, be it Obsidian, Discord, or the browser I am using. I definitely recommend people start using it.
I feel like I should keep track of all my comments on HN because I remember writing a lengthy comment on firejail more than once. I cannot keep doing this. :D
For user-space, there is usually bubblewrap vs. firejail. I have not personally used bubblewrap, so I cannot comment on that, but firejail is great at what it does.
The last comment was about restricting clipboard access to either X11 or Wayland which is possible with firejail quite easily, so if you want that, you can have that.
So do you configure firejail to give each app their own separate, permanent home directories? Like "firejail --private=/home/user/firejails/discord discord", "firejail --private=/home/user/firejails/chromium chromium", and so on?
FWIW, once you start whitelisting, it will only have access to those directories and files only, so Discord has no access to anything other than its own directory and ${DOWNLOADS}, which I should probably change.
You should check out the default profiles for many programs / apps under directory "/etc/firejail".
[1] You run it via "firejail Discord" or "firejail ./Discord" if you name it "Discord.profile".
I treat LS as a privacy/anti-telemetry/anti-accident tool, not as anti malware.
Obviously it can detect malware if there’s a connection to some weird site, but it’s more like a bonus than a reliable test.
If you need to block FS access, then per app containers or VMs are the way to go. The container/VM sandboxes your files, and Little Snitch can then manage externa connectivity (you might still want to allow connection to some legit domains—-but maybe not github.com as that can be use to upload your data. I meant something like updates.someapp.com)
I believe LS has some protections against this. Never tried them, but there are config related security options, incl. protection against synthetic events. So they definitely put some thought into that.
Or firejail. Or QubesOS using a dedicated VM. There are options, but it would still be nice if Obsidian had a more robust security model.
I have been using firejail for most of these kind of applications, be it Obsidian, Discord, or the browser I am using. I definitely recommend people start using it.
Sell it to us! Why do you use specifically firejail?
There are so many options, from so many different security perspectives, that analysis paralysis is a real issue.
I feel like I should keep track of all my comments on HN because I remember writing a lengthy comment on firejail more than once. I cannot keep doing this. :D
For user-space, there is usually bubblewrap vs. firejail. I have not personally used bubblewrap, so I cannot comment on that, but firejail is great at what it does.
The last comment was about restricting clipboard access to either X11 or Wayland which is possible with firejail quite easily, so if you want that, you can have that.
You can do a LOT more with firejail though.
https://wiki.archlinux.org/title/Firejail
https://man.archlinux.org/man/firejail.1
> bubblewrap vs. firejail
In case anyone else is curious, I found the following comparison in bubblewrap's repo.
- https://github.com/containers/bubblewrap#related-project-com...
I'm gonna try both and see which one I like. Thanks for this info! You're sure living up to your user name there. (:
So do you configure firejail to give each app their own separate, permanent home directories? Like "firejail --private=/home/user/firejails/discord discord", "firejail --private=/home/user/firejails/chromium chromium", and so on?
I have my own Discord.profile!
This is my ~/.config/firejail/Discord.profile[1]:
I have some things commented out but you could probably uncomment most.Some has this, too:
FWIW, once you start whitelisting, it will only have access to those directories and files only, so Discord has no access to anything other than its own directory and ${DOWNLOADS}, which I should probably change.You should check out the default profiles for many programs / apps under directory "/etc/firejail".
[1] You run it via "firejail Discord" or "firejail ./Discord" if you name it "Discord.profile".
This is great. Thanks for the detailed reply!
It was not THAT detailed and it makes me feel a bit guilty, so if you have any questions let me know.
FYI you can search your comment history with hn.algolia.com:
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
Thank you, exactly what I have been looking for!
Little snitch can block open(2)?
I treat LS as a privacy/anti-telemetry/anti-accident tool, not as anti malware.
Obviously it can detect malware if there’s a connection to some weird site, but it’s more like a bonus than a reliable test.
If you need to block FS access, then per app containers or VMs are the way to go. The container/VM sandboxes your files, and Little Snitch can then manage externa connectivity (you might still want to allow connection to some legit domains—-but maybe not github.com as that can be use to upload your data. I meant something like updates.someapp.com)
Very, very good point
I got lazy
Time to crank the paranoidmeter up again
ty
I believe they're saying it can open, it just can't send the data anywhere.
Seems a little excessive, but here we are.
It still can encrypt everything and demand you pay some ₿₿₿₿.
If it can open and write any file on the OS, it's pretty much game over. Too many ways to exfiltrate data even without network/socket access.
Worse, what keeps this from editing the config files for Little Snitch (or similar blockers)?
I believe LS has some protections against this. Never tried them, but there are config related security options, incl. protection against synthetic events. So they definitely put some thought into that.
File system permissions?