Privilege Separation
Created by: ollieparanoid
@ata2001 asked in the chat:
any idea, how are we going to implement privilege separation? like every app should run as its own user/group and have its own home folder
I have put some thought into this topic already and would like to share my opinion. For me, privilege separation is essential to have a reasonable secure system. All software has bugs, so we should make sure that these bugs have little to zero impact to the security of the whole system, and this is made possible with privilege separation.
My approach would be using bubblewrap and/or firejail wrappers for at least the most popular programs. Both use seccomp filters from the kernel. We could put these wrappers into /usr/lib/hardening-wrapper/bin
or a similar path (that's where Arch Linux ships wrappers for GCC to enable hardening flags by default) and they would use bubblewrap/firejail to start the actual program, but with disabled network or file access, or other syscalls - depending on what makes sense for the program.
We could put all wrappers into a postmarketos-hardening
package or something to still make it optional (I'd prefer opt-out for that one), and use install_if
rules to install only the wrappers for the programs that are actually installed.
With that being said, there's also SELinux and I can't really say what the advantages/disadvantages would be (SELinux is harder to configure?), so we will need more research and more opinions on that.