Hello, hope your day's going great. I'm currently developing a security and privacy focused linux distribution based on Arch Linux called Prism OS.
Currently Prism OS uses AppArmor as the default MAC system and linux-hardened as the kernel. The linux-hardened kernel disables the creation of unprivileged user namespaces by default meaning programs which genuinely require It like bubblewrap or the chromium sandbox would need to be SETUID. This Is a severe security degradation.
The solution for this would be to revoke the ability to create unprivileged user namespaces globally for all programs and selectively allow programs to create unprivileged user namespaces. However, this can not be done since Arch Linux currently does not apply patches from canonical on any of it's officially supported kernels meaning that the 'kernel.unprivileged_userns_restriction' Is not available. Issue #11 stating the exact problems was created on October of 2024 on linux-hardened source tree, however till now the patch has not been added most probably because features already provided by SELinux are out-of-scope. Thus, my only options are maintaining my own kernel source tree, using selinux as the default MAC system for Prism OS or to change the base to a something like Fedora. I'd definitely prefer the second option.
My question Is If this project currently Is stable enough to be used on a system which will be daily drived? And what Is the current status of official selinux support on Arch? Also It would be great If packages were signed:)
Hello, hope your day's going great. I'm currently developing a security and privacy focused linux distribution based on Arch Linux called Prism OS.
Currently Prism OS uses AppArmor as the default MAC system and linux-hardened as the kernel. The linux-hardened kernel disables the creation of unprivileged user namespaces by default meaning programs which genuinely require It like bubblewrap or the chromium sandbox would need to be SETUID. This Is a severe security degradation.
The solution for this would be to revoke the ability to create unprivileged user namespaces globally for all programs and selectively allow programs to create unprivileged user namespaces. However, this can not be done since Arch Linux currently does not apply patches from canonical on any of it's officially supported kernels meaning that the 'kernel.unprivileged_userns_restriction' Is not available. Issue #11 stating the exact problems was created on October of 2024 on linux-hardened source tree, however till now the patch has not been added most probably because features already provided by SELinux are out-of-scope. Thus, my only options are maintaining my own kernel source tree, using selinux as the default MAC system for Prism OS or to change the base to a something like Fedora. I'd definitely prefer the second option.
My question Is If this project currently Is stable enough to be used on a system which will be daily drived? And what Is the current status of official selinux support on Arch? Also It would be great If packages were signed:)