You can limit what a given package has access to with kernel based security package profiles for packages like apparmor, selinux, smack or tomoyo. Someone with root access can change this but it can be helpful at preventing someone from gaining that access in the first place.
Kernel based security packages profiles? What is that?
The definitive guide to selinux.
First and foremost, you are outright dismissing Flatpak, which accomplishes all of your goals pretty much, with a vague desire to use "plain old Linux" instead of a proper motivation. You should really stop and ask yourself, WHY not Flatpak? What do you actually want, and why is Flatpak not the answer to that?
I point this out first because then in the next paragraph you mention some tools such as Firejail. Which is attempting to do more or less the same as flatpak, but in a more crude/less polished form. And neither Flatpak or Firejail are "plain linux", they're just fancy wrappers around a whole bunch of actual "Linux features", like namespaces, seccomp, cgroups, users, chroot, filesystem permissions, and other higher-level tools such as bubblewrap (in the case of flatpak).
So, do you want to learn the underlying primitives/underlying tooling? If so, start with users, filesystem permissions, and Linux namespaces and the other Linux features I've listed.
Or do you want to just deploy applications in a sandboxed environment? If so, use Flatpak/Firejail/Snap/Linux containers such as Podman or Docker, etc. Then manage permissions using Flatseal (in the case of flatpak), and you're done.
How should I do this? I need some sources to read all about linux user accounts.
You should stick with trusted sources such as TLDP, Redhat/Fedora docs, Archlinux Wiki, Gentoo Wiki, etc. For example, regarding users:
Thanks for response!
Well not every app is in flatpak. Like steam gives you a .deb to download and not a flatpak. Only for this reason I said "dont say about flatpak". I would definetly use flatpak where ever possible. I was simply asking for help in linux permsions and users in case I cant run app in flatpak. It isn't a vague desire for "plain old linux" but instead a desire for when flatpaks arent possible, I need to do the same for it with plain linux.
But now I understand that these tools I mentioned arent really plain linux like I thought. I should have asked the question properly Also I didnt know firejail was like flatpak though.
So I now understand what to ask exactly.
I want to learn underlying tools which apps like flatpak and firejail use. Mainly the user permssions and filesystem permissions. Dont want to learn the application themseleves but want to do myself what these applications do in behind the scenes.
Thanks for the sources though!
I have two apparmor profiles targeting shell scripts, which can run other programs. One is "audit" (permissive with logging) and the other is "safe" (enforcing).
The safe profile still has a lot of read access, but not to any directories or files with secrets or private data. Write access is only to the paths and files it needs, and I regularly extend it.
For a specific program that should have very restricted network access, I have some iptables (& ip6tables) rules that only apply to a particular gid, and I have a setgid wrapper script.
Note: This is all better than nothing, but proper segregation would be better. Running things on separate PCs, VMs or even unpriviliged containers.
I have heard a lot of this apparmor but don't know anything about it. I know the name explains it, but what is it exactly? What does it do?
Also you say as if creating profiles and users are different? Isn't creating user accounts same as creating a new profile in linux, or am I confusing with profiles which are in apparmor?
Would appreciate some articles and tutorials regarding apparmor
An apparmor profile is associated with an executable, based on its filesystem path. I think distributions tend to support either SELinux or Apparmor, but some (like Arch) support both.
Apparmor profiles are easier to reason about than SELinux, I find.
@jbloggs777 @LifeLemons While it's true distributions tend to choose apparmor or selinux by default (apparmor in the case of debian derived OS's and selinux in the case of Redhat derived OS's), all four are actually supported by the kernel and most distros include all in their repositories it's just that those come installed by default.
Commenting to come back and check, for I too would like to learn
You can save posts
Yeah but then I forget about them :(
Linux
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0