| My hardware is unable to run Qubes OS. So I did something else. I sandbox using different machines and a KVM switch. That limits what domain the potential applications can reach. Then I use pledge on OpenBSD to further limit what apps can do. This is the default for many apps on OpenBSD and they can't access anything other then the specified directory. Firejail used a few times, but optional security is no security at all. I played around with SELinux, but it seems to overcomplicate it. The situation seems to be, that OpenBSD is the only system that limits what applications can do by default. Perhaps Linux systems or Mac will limit what apps can do in the future. OpenBSD has often been the first mover. As I get older, the "by default" is the way to go. I'm not a teenager anymore that can spend all afternoon toying around with the kernel configuration or xf86config. Obviously I can't use OpenBSD for everything, so I switch between systems. Because they are physically different machines, an app can't break out of the VM. You'll want to block SSH though. This is a simple and cheap solution that requires only some discipline about what laptop you use for what and a very messy table (4+ laptops). The machines will be compromised (pessimist view on security), but at least it would stick into one machine. OpenBSD takes security the most serious on kernel level, but X is still a security circus. The access applications have on default Linux, Windows or Mac is way to much for my liking. |