Added “git” profile i removed the ability to a user to do “sudo git clone” and more other things
I will remove the ability for every browsers and file manager as well to be run as sudo too i didn’t think it was possible with apparmor i discover things everyday
Added thunar profile compatible with the package “qubes-core-agent-thunar” (but don’t use it yet i will modify the profile very soon) thunar was the most complicated profile it ask too much permission…
I was busy to learn things with apparmor but the librewolf profile is coming
I just added the librewolf profile i take a lot of time to write this one perfectly. The librewolf profile is the most well written i need to change firefox , mullvad a little bit
List of things that will be denied when using Librewolf :
You can’t run librewolf by using “sudo librewolf”
Librewolf can’t access curl , wget , bash command and more… (it’s for your safety it will not impact your experience this just increase the security)
Of course Librewolf can’t read write every home , file and foler inside the home directory except Downloads folder and Librewolf can’t access to the root filesystem
I don’t know if extensions such as keepassxc or bitwarden will work with the profile and the more i think about that the more i think i will deny access to a user to use extensions for his safety (don’t worry ublock will still work but a lot of them not). It need to be discussed but the things is extension is too much dangerous please read More malicious browser extensions uncovered - Chrome, Firefox, and Edge all affected | TechRadar
I didn’t do anything about the extensions potential issue in the future like i said it need to be discussed. But i don’t want to see random user complaining in the Qubes forum that he have been hacked when he was using Qubes and saying “qubes don’t protect you”
When i was doing the brave profile i’ve seen that some extensions like password manager is using command like “/usr/bin/curl” “/usr/bin/touch” and this is so dangerous…
Mullvad Browser is shipped with 3 extensions Noscript, Ubloc, and their vpn extension but they do not allow a random user to install easily a extension maybe i should do the same thing ? I don’t know like i said it need to be discussed
I removed the librewolf profile there is a little issue that need to be fixed immediately
Edit : Librewolf profile fixed
Every browser should be able to see correctly files and directories in “Downloads” the deny rules before was way too strict
File Manager no longer have network connections i finally find the rules in apparmor to do that
Improved the security i added the “sudo” profile to deny access to command like “sudo brave-browser , sudo firefox , sudo git , sudo mullvad-browser, sudo curl” the rules “deny /usr/bin/sudo rw,” was not working as i excepted