Hardening with Firejail, Landlock, and bubblewrap

Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a CLI that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.