Hacker News new | past | comments | ask | show | jobs | submit login

> Yeah. The Downloads directory inevitably accumulates sensitive data over time, especially lacking automatic cleanup/expiration of files. For this reason alone, Firefox should follow the Chromium/Edge policy.

> Then SELinux/AppArmor enforcement comes along, but it's of limited effectiveness because you end up with free-for-alls (for convenience's sake) like ~/Downloads.

I keep this clean when I am finished with a file I usually have a term up and will move it to somewhere in ~/ or ~/Documents

I think I might use AppAmor to secure this like TAILS does https://tails.boum.org/contribute/design/application_isolati...

I found these profiles which will act as a good basis https://github.com/mk-fg/apparmor-profiles/blob/master/profi... it seems that Mike Kazantsev (mk-fg) has abstracted it it a bit more into other files.

The ones that come with apparmor look ancient https://gitlab.com/apparmor/apparmor/blob/master/profiles/ap...

> E.g. how should we protect ourselves from someone exploiting a vulnerability in vim to access our private documents, which we could potentially want to edit with vim ourselves?

I think for me it would be about starting with high risk applications.

If you look at https://github.com/mk-fg/apparmor-profiles/tree/master/profi... you notice things like steam, skype, etc.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: