shellcode33 / archlinux-hardened Goto Github PK
View Code? Open in Web Editor NEWArchLinux setup which focuses on desktop security
License: MIT License
ArchLinux setup which focuses on desktop security
License: MIT License
This issue aims to list all the issues you might encounter because of Wayland, and potential workarounds, if any. This ArchLinux setup uses sway which is based on wlroots. I will try to keep it as up to date as possible, you can of course contribute.
Gimp 2.10.x uses GTK2 which requires X11. Therefore Gimp is not usable yet under Wayland.
Workarounds:
gimp-devel
from the AUR (unstable)By far my favorite screenshot utility is broken right now on Wayland.
In the meantime I use slurp
+ grim
+ wl-copy
.
I have the following in my Sway config file:
bindsym Print exec grim -g "$(slurp)" - | wl-copy
This issue aims to list all the issues you might encounter because of the linux-hardened
kernel, and potential workarounds, if any. I will try to keep it as up to date as possible, you can of course contribute.
For what it's worth I have to say it has been pretty stable for me over the past few months. I was expecting it to break things more often.
This is probably one of the most controversial feature of the Linux kernel.
It allows unprivileged users to create namespaces which allows them to perform root operations in a confined environment (by remapping user IDs). The thing is that this feature goes through code paths in the kernel that is usually only reachable by root, and that is not as much tested as regular "user code paths". Many security vulnerabilities have been discovered and exploited in the wild because of this feature. However it's been a while now since that feature was introduced, and it is now enabled by default on most mainstream distributions. Even in the regular ArchLinux kernel.
Containers engines (docker, podman, LXC, etc.) heavily depend on this feature, and because it is disabled in linux-hardened
, rootless containers cannot work. You have to run containers as root.
So now it's your choice to make, are you fine sticking to root containers or do you wish to use rootless ones ? I made my mind, and decided to stick to root containers. But it could change.
If rootless containers are a must have for you, you can enable them using:
sudo sysctl -w kernel.unprivileged_userns_clone=1
If you want this change to be persistent, create a file in /etc/sysctl.d/
.
References:
For example the script try-to-fix-low-on-disk-space
doesn't send notifications. This is because the echo NOTIFY
statements are not sent to systemd's journal.
How to reproduce:
sudo btrfs filesystem usage / | grep df
fallocate -l 818.7GiB ~/.cache/mozilla/firefox/test
try-to-fix-low-on-disk-space
but no desktop notification is sentsudo systemctl status auditd
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.