I have recently re-learned the hard way that browsers, due to their very nature of potentially running any code, are one of the most common targets and vehicles of infection.
Since Firefox is just an application inside a larger ecosystem, in my case KDE Plasma, it is really important to update and check it regularly, and to protect it the best way I can.
Reading about how to use Firejail to control Firefox behavior on Gentoo, I realized how vulnerable the entire system can be and - in fact - IS! because of the X11 legacy over which our desktops still operate today.
Though X11 is and has been a milestone in our *nix world history and success, it is today lacking some very basic security features such as process isolation that make our systems so vulnerable whenever something goes wrong, …not only inside the browser!
User applications and scripts may and in fact can easily capture any key, any screen, no matter the user, be the user a regular one or root himself.
Is there a suggested Manjaro way or guideline to harden KDE Plasma security?
In Gentoo documentation the nested X servers Xephyr and Xpra seem to offer a hand if used aside of Firejail Is Firejail the best and only tool we have at the moment? Thanks in advance.
With Firejail, you can replace the x11 server with xpra or xephyr to prevent keyboard loggers and screen capture software from accessing the main x11 server. It is also quite common to run firejail in combination with AppArmor, which is pretty straightforward to setup. You may also wish to run your x server rootless, so with KDE you may need to do away with SDDM and startx manually from a tty.
There are also other options like running SELinux and customising the kernel for hardened security, which are a bit more work to implement than AppArmor and Firejail.
To add to @Fabby’s great advice, you could also run your own recursive DNS server with something like unbound and dnsmasq, and also use it to block known malware/advertisement/undesirable domains. Quite straightforward and fun to do it manually, or you could use PiHole to set it up. Works well in combination with all of the options offered by Fabby.
I thank you all guys! And what you have suggested is exactly what I have done but in times of Magic Lantern, Pegasus and stuff like this, followed by the possible abuses that these products allow we definitely need something more. I am sorry but I wont be regularly online anymore.
Good luck!
You can also use a good hosts file (like StevenBlacks’ hosts) , which can enforce a system-wide block for a lot of malware, adware, spyware and other junk.
