notabot

Level 8
Thanks ! - I’ll definitely look at what he did . I’m more after profiles that are maintained rather than making my own because even though I may have time to do the initial time investment what I most certainty can’t do is do the time investment to update the profile when chrome updates in a way that breaks the profile ( and almost certainly this will happen at some point )
 

JM Safe

From Zemana
Developer
Verified
Thanks ! - I’ll definitely look at what he did . I’m more after profiles that are maintained rather than making my own because even though I may have time to do the initial time investment what I most certainty can’t do is do the time investment to update the profile when chrome updates in a way that breaks the profile ( and almost certainly this will happen at some point )
However if you use Linux I would only suggest: Firejail and GUFW. I didn't try AppArmor.
 

askalan

Level 15
Malware Hunter
Verified
The profiles actually come already with AppArmor/FireJail (I think) and are also mainained by them. If they need to be renewed (because of a new update for your browser), a simple update of AppArmor/FireJail in your software manager (apt, pacman, whatever...) is enough.

I also use Firejail like @JM Security and start my browser with:
Code:
firejail --ignore=seccomp --ignore=protocol firefox-esr %u -no-remote
I don't know what the exact differences between AppArmor and FireJail are, but they do the same thing in the end.
 
Last edited:

notabot

Level 8
The profiles actually come already with AppArmor/FireJail (I think) and are also mainained by them. If they need to be renewed (because of a new update for your browser), a simple update of AppArmor/FireJail in your software manager (apt, pacman, whatever...) is enough.

I also use Firejail like @JM Security and start my browser with:
Code:
firejail --ignore=seccomp --ignore=protocol firefox-esr %u -no-remote
I don't know what the exact differences between AppArmor and FireJail are, but they do the same thing in the end.

Thanks for this - I don’t have one for Firefox at the moment.

Firejail uses kernel namespaces, so it’s similar to dockerising your application
 

notabot

Level 8
It turns out not seeing the file for Firefox’s app armor profile has to do with me installing Firefox as a snap app from the store.

Do you know where are the app armor profiles for snap apps ?
 

notabot

Level 8
Looks like for snap apps AppArmor profiles are under /var/lib/snapd/apparmor

snap apps also have their own container system so they can’t be firejail’d

Overall I have to say

1) Linux security is much much better than the early 00s
2) while windows does have almost the same number of (almost) equivalent mechanisms, in Linux stuff that would be “enterprise” (or part of a “business” security suite) is available out of the box
3) a desktop machine running only snap apps from reputable publishers looks pretty secure, it would take a kernel level exploit or hardware assisted attack to “break” it