What would be THE answer to non-VM compartmentalization-based desktop linux security ?

[ple1n]

I recently settled for opensnitch which seems to be the optimal choice in class.

• It suits desktop use
• It has a GUI, and prompts the user for adjusting configuration.
• What it does is clear and intuitive to me, without reading docs, or becoming an expert in the field. Thanks that networking is simpler and it shows the grand picture in GUI.
• Its behavior matches an average user's expectation. It does/should not have hidden traps that undermine security.

I don't have a clear idea what the state of the issue is. It seems firejail/apparmor have obscure docs, or they are not intended for average/sane users, maybe as the basis for more friendly wrappers. Flatpak/bubblewrap currently doesn't support Netns (so personally I use firejail to sandbox firefox, in a proxied netns).

[igo95862]

From the looks of it opensnitch is a firewall application that does not actually provide the file system sandboxing.

bubblewrap currently doesn't support Netns

It does in a sense that it can create a new network namespace for sandbox. However, it does not provide any tools to work with new namespace. You can use tools like slirp4netns to create networking for the new namespace. Bubblejail has a service that can use slirp4netns to create separated networking in sandbox.

[ple1n]

Yep, I took opensnitch as an example. I am baffled by the current state of things, everything around this compartmentalization problem and that it is a giant mess. They are all incomplete and full of traps. They don't assure me of any security. I could use my own scripts to get it work somehow but these are hacks, since I don't have enough domain knowledge. I can not convince myself that I am secure. My point is that an ideal solution of the problem would assure the user through GUI, ie. by showing all possible ways an application may interact with the system in a dialog, like the editing window of a firewall rule, but for filesystem, syscalls and other things I don't even know. I have no idea what apparmor/firejail is actually doing, what an application can access and what it can't.