ctr1 @ ctr1 @fl0w.cc

Posts

0

Comments

59

Joined

2 yr. ago

I usually use Awk to do the heavy lifting within my Bash scripts (e.g. arg parsing, filtering, stream transformation), or I'll embed a Node.JS script for anything more advanced. In some cases, I'll use eval to process generated bash syntax, or I'll pipe into sh (which can be a good way to set up multiprocessing). I've also wanted to try zx, but I generally just stick to inlining since it saves a dependency.

I started by writing small scripts to automate things, but really got into it after learning how fun it can be to make the computer do stuff. I also see it as a kind of creative outlet, but in general I just want to learn how to fix anything in software if I'm not satisfied with how it works.

I use LUKS-encrypted LVM volumes to store everything (and transfer via SSH or HTTPS), but would use GPG if I needed to encrypt individual files.

Ah good to know! Will try that if I ever run into issues, thanks

I've been using it for years and I think it's great. Currently on a 6 Pro. It's true that some apps don't work without Google Play services, but GrapheneOS has the option to install the google stuff in a sandbox, so you shouldn't run into any issues if you do that. Personally, I don't use Play services unless I need to, and use Aurora store for any apps that aren't on F-Droid.

In any case, you can always revert to stock or try another OS

Edit: as faede has pointed out, it appears that Google Wallet has issues. Also, the usage docs mention issues with banking apps in general, so that's something to consider

If you're willing to spend the time to learn how to write custom policies, SELinux can be used for this, to some extent. It's highly customizable and can sandbox your apps, but the process of doing so is quite complicated. I wrote a small guide on custom policy management on Gentoo in another comment if you're interested.

There's also apparently a "sandbox" feature, but I don't know much about it. I just write my own policies and make them as strict as possible.

As an example, my web browser can't access my home directory or anything except its own directories, and nobody (including my own user), except root and a few select processes (gpg, gpg-agent, git, pass) can access my gnupg directory.

This only covers security/permissions, and doesn't include many of the other benefits of containerization or isolation. You could also try KVM with libvirt and Gentoo VMs; that works pretty well (despite update times) and I did that for a while with some success.

np! Hope it helps; it's a big pain but I do think it's pretty secure if configured correctly

Awesome! Here are a few things that come to mind:

Make sure you have some aliases/functions for common operations:

• audit2allow -a to view audit violations (or -d for dmesg audits)
  • also -r to add a requires statement for module construction
• restorecon -Rv to recursively apply file contexts from policy (or -FRv to also apply user context)
• rm -f /var/log/audit/audit.log.*; >/var/log/audit/audit.log to clear audit logs
  • note: sometimes lots of logfiles (audit.log.1, etc.) collect, slowing down audit2allow
• chown -R user:user PATH; chcon -R -u user_u PATH to recursively change labels to user
  • could be generalized for arbitrary Linux/SELinux users
• semanage fcontext -a -t TYPE PATH -s $SEUSER to add a custom file context to the policy
  • e.g. semanage fcontext -a -t "user_secrets_t" "/home/[^/]+/.secrets(/.*)?" -s user_u
  • I've had better luck with this approach than the standard method of creating a .fc file, but in any case a custom policy is needed to create custom types
• semanage fcontext -d PATH to remove a custom file context
• semanage fcontext -lC to list custom file contexts
• semodule -DB to rebuild policy with all dontaudit rules disabled
  • often, something will not work, but audit2allow doesn't show anything
• semodule -B to rebuild policy (with dontaudit rules)
• semodule -i MODULE.pp to install a module
• semodule -r MODULE to remove a module

Also a few scripts for policy creation and management are essential. There are two basic approaches to policy creation: modules and policy modules.

Modules: can be used to modify AVC rules and are pretty simple

 bash

    
# a violation has occurred that you want to allow or dontaudit
echo "module my_allow 1.0;" > my_allow.te
audit2allow -ar >> my_allow.te

# verify that my_allow.te has what you expect
cat my_allow.te

# build and install the module (replace mcs with whatever policy you are using)
make -f /usr/share/selinux/mcs/include/Makefile my_allow.pp
semodule -i my_allow.pp

# clear audit logs
rm -f /var/log/audit/audit.log.*; >/var/log/audit/audit.log

  

Policy modules: can do anything, but are complicated, and the tools for creating them are mostly based on Red Hat.

Creating a new type:

 bash

    
# generate foo.fc, foo.if, and foo.te
sepolicy generate --newtype -t foo_var_lib_t -n foo

# note: see sepolicy-generate(8); sepolicy generate only supports the following
#       type suffixes, but its output files can be adapted to your use case
# _tmp_t
# _unit_file_t
# _var_cache_t
# _var_lib_t
# _var_log_t
# _var_run_t
# _var_spool_t
# _port_t

# modify the .fc file with the desired file contexts, for example (with s0 for mcs)
# /path/to/context/target	--	gen_context(system_u:object_r:type_t,s0)
#
# note: the "--" matches regular files, -d for directories, -c for character
#       devices, -l for symbolic links, -b for block devices, or can be omitted
#       to match anything. also, as mentioned before, I often have better luck
#       with `semanage fcontext`, especially for user directories
vi foo.fc

# build and install the policy module
make -f /usr/share/selinux/mcs/include/Makefile foo.pp
semodule -i foo.pp

# use restorecon to adjust the file contexts of any paths you have 

# by default, all operations involving this type will be denied
# (and are sometimes not audited)
semodule -DB # --disable_dontaudit
# ... use the type, collect violations ...
audit2allow -ar >> foo.te
# if dontaudit is disabled, you'll likely have a lot things to remove from here
vi foo.te

# ... repeat until rules regarding type are fully defined

  

Creating a new application type:

 bash

    
# sepolicy-generate is made for Red Hat,
# but you can use --application to get started

# creates a bunch of files that define bar_t and bar_exec_t
sepolicy generate --application -n bar [-u USER] CMD

# remove the line making the app permissive (up to you, but
# I prefer using audit violations to define the permissions)
perl -i -00 -pe 's/^permissive bar_t;\n\n//g' bar.te

# ensure that the file bar_exec_t file context points to the right bin:
vi bar.fc

# build and install the policy module
make -f /usr/share/selinux/mcs/include/Makefile bar.pp
semodule -i bar.pp

# ... use the application, update AVC rules, repeat ...

  

If your target application is interpreted, you'll need to write a custom C program that launches the interpreter in a specific context, then write your policy around that application. For example, you should execv something like this: /usr/bin/runcon -u user_u -t my_script_t /bin/bash PROG.

For vegetables I throw everything into a big stew with a lot of different things (kale, broccoli, cauliflower, onion, potato, mushrooms, tofu, garlic, beans), lots of hot sauce, seasoning, olive oil, etc. and eat the same thing every day, for the most part. I don't eat enough fruit but I do have a handful of dried fruit with oats every day

Totally, props on taking it on as your first distro! Haha, yeah a week of pain sounds about right. My last Gentoo setup took an entire month (off and on), but I was doing something crazy (Qubes-like, every application in its own Gentoo VM, strict SELinux on host and guests)... ended up ditching that because I got comfortable enough with SELinux to write stronger policies for everything important, which is good enough for me.

I had the benefit of using other distros before trying Gentoo, so my first attempt at it wasn't so bad (but still took two full days). It's definitely taught me way more than any other distro, including Arch (although Arch was a very good stepping stone). I don't think I could go back to anything else at this point

Yep! Gotta love the flexibility of it

Ah gotcha, just asking because I've never used it before. Good to know that Gentoo supports hardening it

Oh good to know! Thanks for the tips. What do you like about musl over glibc?

I would look into Gentoo's Hardened + SELinux profile if you want good security in a standard system, but as others have mentioned QubesOS is probably the most secure option OOTB (but it is very limiting). SELinux is pretty difficult to use but it's really effective, and there is good information about it on the Gentoo wiki. Not sure what exactly goes into their hardened profile but I know it implements at least some of the suggestions listed on that site (like hardened compilation flags). Also it's probably more vulnerable to 0-day attacks than Qubes, since it uses up-to-date software. But it's really flexible, and learning SELinux is useful

I learned by watching a bunch of cppcon videos, reading cppreference, and writing a lot of programs. Learning how to understand the error messages is also really important

Ah true! Thanks, yeah that's a better way to do that. It seems I've developed a bad habit of going into visual more often than I need to- will keep an eye out for that

As a Vim/NeoVim user my number one reason is speed. There's a pretty steep learning curve, but it doesn't take long to see noticeable improvements.

Aside from terminal applications generally running faster than GUI ones, there is a tremendous amount of flexibility that it offers when it comes to actual text editing. For example, you learn how to type things like _f(vi(cfoo _f(ci(foo^† which goes to the beginning of the line, finds the first open parens, selects everything inside of the parens expression, then replaces that text with "foo". After a while these kinds of inputs become second nature, and you can start using them to construct macros on the fly that can be applied to different places in your code.

One major downside is that it can take some configuration to get working the way you want it, especially if you want an IDE-like environment. NeoVim comes with a built-in LSP interface, which I've been able to get working pretty well for all of the languages that I use the most, but it's still kind of a pain to configure.

I'm sure Emacs is similar, but I've never used it. I don't think many people use Nano unless they need to edit something in a terminal but don't know how to use Vim. On that note, being comfortable with a terminal editor means that you'll have no problem if you're SSH-ing into a server or using the TTY console.

^† _f(ci(foo avoids an unnecessary mode change, see comment below

Haha yeah, nicely put. I do enjoy the content, mostly because I've been following these creators for some time, and it's hard to find a replacement for it... there is a lot of great content there, but it makes me feel gross using it. And same, I had no problem finding an alternative for Reddit (this), probably because I was not very attached to individual creators there.

I'm hoping a decentralized solution gains traction, but in the meantime I've been trying to limit the amount of information I share with the platform. I'm not actively trying to restrict my usage (most of that was achieved when I stopped using an account), but maybe it's a good idea to do so. I mostly use it when eating or going to sleep, and there are better ways to occupy that time.

Major bugs usually get fixed pretty quickly- I always check the GitHub to make sure I have the latest version when I have issues. And Invidious can work as an alternative most of the time, but some instances work better than others

I stopped using recommendations years ago and only use NewPipe and Invidious. I did notice a reduction in my watch time, but there is plenty to watch when using a subscription-only feed. I havent added very many channels to my list since then, but personalized recommendations aren't worth the privacy cost. Hoping to leave the platform eventually