this post was submitted on 29 Dec 2023
33 points (100.0% liked)
Arch Linux
7750 readers
2 users here now
The beloved lightweight distro
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If you don't use untrusted applications, you don't need firejail.
Similarly if you don't need know what Apparmor is used for, just don't use it. It's not mandatory and you will take the risky move by not configuring it correctly. Never follow any step by step process based on a shiny title if you don't fully understand what you're doing and why you'd need to go that route in the first place.
Arch is pretty stable and secure with the minimum configuration, especially for "regular" users (no negative meaning here, I'm one of them).
Not sure about this one. AFAIU, AppArmor cannot grant permissions not granted by DAC meaning that an incorrect configuration, at worst, will not do anything useful. I'm not seeing the risk here.
Can you elaborate on how Arch is secure against things like: me unknowingly running an untrusted program or an AUR package being compromised? Sandboxing, AppArmor, or an AV will not necessarily block all harm from these type of events, but at least they provide some form of mitigation.
If there may be no risk in using Apparmor misconfigured, it's still useless and not a good practice to use apps this way. Overall, this was more a general advice because other apps may have more negative effects when not properly configured. It's good to set up good habits from the start and stick to them.
I've built my answer based on the use-case you exposed (i.e. not using untrusted packages). As I said, if you are now planning on using untrusted packages, you should configure your system appropriately.
Re: AUR, it's quite safe. In theory it can be harmful but only if the user is not careful. You should always inspect PKGBUILDs and *.install files when building packages from the AUR (the pacman wrapper you use to download from AUR should have a dialogue which prompts you to do this). I have personally never experienced any troubles using packages from AUR (and I have quite some) because the community is usually pretty vigilant but also because I use only packages maintained for long time by known developers.
Hope this helps. You can learn more by reading the arch wiki (which is recognized to be the best one so use it at your advantage) and by doing simple searches on the arch forum. Both resources were dramatically helpful to me understanding what arch is, how it works, and what to expect when I started using it 15 years ago.