firejail , https://firejail.wordpress.com/
can be used to restrict and/or contexualize a process with namespaces. i was thinking of restricting ssh connections with it to prevent the free privilege escalation qubes gives malicious apps in case of an exploitable hole in ssh. but, firejail itself is more code to exploit, and though it matters less in qubes, setuid. so what thinks all of you? worth the extra attack surface? was also thinking of using firejails logging to flag attempts at sudo etc as another means to flag a host with problems. this again, means extra code that itself could be exploited. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c4ec82af-0ade-4fc0-81db-54d95c40ab80%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
