this post was submitted on 29 Apr 2025

19 points (100.0% liked)

Linux Questions

3123 readers

34 users here now

Linux questions Rules (in addition of the Lemmy.zip rules)

stay on topic
be nice (no name calling)
do not post long blocks of text such as logs
do not delete your posts
only post questions (no information posts)

Tips for giving and receiving help

be as clear and specific
say thank you if a solution works
verify your solutions before posting them as facts.

Any rule violations will result in disciplinary actions

founded 2 years ago

MODERATORS

possiblylinux127@lemmy.zip

I want the "Android" / GrapheneOS sandbox experience on Linux, is it achieveable? (lemmy.world)

submitted 8 months ago* (last edited 8 months ago) by MoonlightFox@lemmy.world to c/linuxquestions@lemmy.zip

13 comments fedilink hide all child comments

I really appreciate the GrapheneOS security model with detailed permissions for every app, including internet access.

I'd like to have something similar to that on my main OS. I like to be able to install an app without trusting it. So that I can be more lax with the FOSS projects and the proprietary stuff I use.

I use my PC for gaming, programming and personal stuff. I have been using Fedora for quite some time.

I know that QubesOS exists, and would give me the highest security and privacy guarantees, but i'd prefer something more elegant. I havent tried Qubes in 10 years though 🤔

Am I limited to Flatpak with Flatseal and similar solutions to Flatseal for AppImage?

Edit: I have a ryzen iGPU and a seperate dedicated GPU

all 14 comments

sorted by: hot top controversial new old

[+] that_leaflet@lemmy.world 9 points 8 months ago* (last edited 3 months ago) (1 children)

[deleted]

[–] hersh@literature.cafe 4 points 8 months ago* (last edited 8 months ago) (1 children)

To elaborate on this a little, you can use Flatseal to specify which directories a Flatpak app can have access to directly. For example, in a music player that stores the path of your music library, you'd want to use Flatseal to be sure it has direct access to that folder. This is similar to GrapheneOS's storage scopes.

Aside from that, apps can also call on a file picker that lets you choose any file/folder on your system, and flatpak then creates a virtual path to bridge to that file/folder without exposing the entire rest of the filesystem. This is nice for one-time open/save commands, but doesn't work for apps that need persistent access to a specific directory like in the music player example. This is similar to Android's file provider API.

I don't recall off the top of my head what flatpak apps have access to by default. Some subset of the home folder, I think?

[–] that_leaflet@lemmy.world 4 points 8 months ago* (last edited 3 months ago)

This comment should be deleted soon

[–] zer0@programming.dev 5 points 8 months ago

You might have some luck with Bubblejail or Firejail. Alternatively, you might want to give one of the Universal Blue images a try. They're Fedora based but immutable. Almost all installations are purposely done in a container using flatpak or distrobox.

[–] Kory@lemmy.ml 4 points 8 months ago (1 children)

Maybe checking out Secureblue would be something to consider?

[–] MoonlightFox@lemmy.world 2 points 8 months ago

Interesting project. Might be a good start

[–] Telorand@reddthat.com 3 points 8 months ago (1 children)

Have you looked into podman and Distrobox (which is a wrapper for podman), or toolbox? You can install non-flatpak apps in them, and if you want to get into the weeds, you can declare what each container's permissions are.

[–] MoonlightFox@lemmy.world 2 points 8 months ago (1 children)

"#### Security implications

Isolation and sandboxing are not the main aims of the project, on the contrary it aims to tightly integrate the container with the host. The container will have complete access to your home, pen drive, and so on, so do not expect it to be highly sandboxed like a plain docker/podman container or a Flatpak."

https://distrobox.it/#security-implications

Does not seem to be an ideal fit, but still interesting

[–] Telorand@reddthat.com 1 points 8 months ago

Yep, just depends what your particular goals are. They wouldn't have rootful access, but if you need more granular control, podman or docker are likely better suited.

[–] DeltaWingDragon@sh.itjust.works 2 points 8 months ago (1 children)

You can use AppArmor to semi-automatically generate security profiles for each app. Once the profiles are in place, it will enforce Mandatory Access Control, securing each app that has a profile.

Here's a guide, it's designed for Ubuntu but will work with any distro.

[–] MoonlightFox@lemmy.world 1 points 8 months ago

Nice, this seems cool, read a bit about it. I will definitely check it out.

[–] possiblylinux127@lemmy.zip 1 points 8 months ago (1 children)

What's the end goal?

[–] MoonlightFox@lemmy.world 1 points 8 months ago (1 children)

Similar security as Android. Being able to install apps without checking too closely if it is safe or not

[–] possiblylinux127@lemmy.zip 1 points 8 months ago

That's bad on Android as well

There is no way of making that work