shellcode33 / archlinux-hardened Goto Github PK

This issue aims to list all the issues you might encounter because of Wayland, and potential workarounds, if any. This ArchLinux setup uses sway which is based on wlroots. I will try to keep it as up to date as possible, you can of course contribute.

Gimp

Gimp 2.10.x uses GTK2 which requires X11. Therefore Gimp is not usable yet under Wayland.

Workarounds:

• Install gimp-devel from the AUR (unstable)
• Wait for Gimp 3.0 to come out

Flameshot

By far my favorite screenshot utility is broken right now on Wayland.

In the meantime I use slurp + grim + wl-copy.

I have the following in my Sway config file:

bindsym Print exec grim -g "$(slurp)" - | wl-copy

This issue aims to list all the issues you might encounter because of the linux-hardened kernel, and potential workarounds, if any. I will try to keep it as up to date as possible, you can of course contribute.

For what it's worth I have to say it has been pretty stable for me over the past few months. I was expecting it to break things more often.

Unprivileged user namespaces

This is probably one of the most controversial feature of the Linux kernel.
It allows unprivileged users to create namespaces which allows them to perform root operations in a confined environment (by remapping user IDs). The thing is that this feature goes through code paths in the kernel that is usually only reachable by root, and that is not as much tested as regular "user code paths". Many security vulnerabilities have been discovered and exploited in the wild because of this feature. However it's been a while now since that feature was introduced, and it is now enabled by default on most mainstream distributions. Even in the regular ArchLinux kernel.

Containers engines (docker, podman, LXC, etc.) heavily depend on this feature, and because it is disabled in linux-hardened, rootless containers cannot work. You have to run containers as root.

So now it's your choice to make, are you fine sticking to root containers or do you wish to use rootless ones ? I made my mind, and decided to stick to root containers. But it could change.

If rootless containers are a must have for you, you can enable them using:

sudo sysctl -w kernel.unprivileged_userns_clone=1

If you want this change to be persistent, create a file in /etc/sysctl.d/.

References:

• https://bugs.archlinux.org/task/36969
• https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do
• https://lwn.net/Articles/543273/

For example the script try-to-fix-low-on-disk-space doesn't send notifications. This is because the echo NOTIFY statements are not sent to systemd's journal.

How to reproduce:

• Check free disk space: sudo btrfs filesystem usage / | grep df
• Create a huge file close to what's left on the drive: fallocate -l 818.7GiB ~/.cache/mozilla/firefox/test
• Auditd will trigger the try-to-fix-low-on-disk-space but no desktop notification is sent
• echo statement doesn't appear in the output of sudo systemctl status auditd