I'm new to Linux and am exploring ways to achieve a secure desktop environment without spending money on a new PC or using Qubes OS. I've heard about technologies like SELinux, Docker, and Bubblewrap, but I'm feeling a bit overwhelmed. In Qubes, you can launch apps in a secure way, like a web browser that auto-deletes itself after closing. I'm considering options like using Docker with Kata Containers or gVisor, but I'm confused about how those work compared to something like Distrobox. I found some tutorials, but they aren't specific to my Alpine setup. Essentially, I want to know how to secure my desktop without going as far as Qubes, while still keeping it relatively user-friendly. Any advice would be greatly appreciated!
2 Answers
Are you using Wayland for your sessions? That could affect your setup too! It's worth checking out if you're seeking improved security and performance.
You might want to check out Flatpaks for your use case. They run in their own environment using Bubblewrap, which isolates them from the rest of your system. There's a permission system that's similar to what you find in iOS/Android, so you can customize it as needed. I'd suggest tightening the default permissions with something like Flatseal.
Also, if you’re looking into containers, definitely consider using Podman instead of Docker. Podman is rootless, which reduces the attack surface, and it plays nicely with SELinux too. Just remember to manage your volume mounts to comply with SELinux labels. You can use Distrobox with Podman, but be careful as it can grant too much access to your host system by default.
For your security, you might want to heavily sandbox apps using Flatpak or Bubblewrap along with Podman. Following best practices will get you a secure enough setup without diving too deep and sacrificing usability.
Some of my apps are already Flatpaks, so I'm familiar with them. I will definitely explore Podman. I don’t mind if it takes a bit longer to load; I’m more concerned about the number of clicks and steps needed after setup. I just think about Qubes and how it emphasizes extreme security, not trusting anything. Thanks for your insights!
I totally get the concern about usability versus security. You might end up with more steps when configuring things, but once you set it up right, it should be smoother!
Yeah, I am using Wayland!