u/themagicalfire

Current Fedora Configuration:

Installation date: 21 April 2026 (27 days ago).

Info from the settings app: Fedora Linux 44, Kernel 7.0.8, Wayland display system, Secure Boot functioning correctly.

Browser: Firefox 150.0.3 with uBlock Origin, prompting where to save files, and no telemetry. Firejail sandboxing implemented manually in this way:
[Desktop Entry]
Name=Firefox (Sandboxed)
Exec=firejail --private=/home/local83/sandbox/firefox --dns=1.1.1.1 --dns=9.9.9.9 --seccomp --caps.drop=all --nonewprivs --no3d --netfilter firefox -no-remote
Icon=firefox
Type=Application
Categories=Network;WebBrowser;

Sandboxing tools I know how to use, at least at a limited degree: Firejail, Bubblejail, Flatseal.

SELinux status: enforcing and targeted (confirmed by looking at /etc/selinux/config and running the command sestatus). Working as expected (ausearch found an alert from 12 May 2026 saying that systemd-rfkill was blocked from using dac_read_search, dac_override, and the syscall openat).

Third-party game I downloaded:
bubblejail create --no-desktop-entry --profile generic TheNatureOfMagic
nano ~/.local/share/bubblejail/instances/TheNatureOfMagic/services.toml
[common]
[wayland]
[pulse_audio]
[direct_rendering]
[home_share]
home_paths = ["games/TheNatureOfMagic-PartThree-pc"]
bubblejail run TheNatureOfMagic home/local83/sandbox/games/TheNatureOfMagic-PartThree-pc/TheNatureOfMagic.sh
Verification for namespace: sudo nsenter --target 16086 --mount --pid ls -la /home

Kernel memory protections: active (confirmed through the command sestatus).

Sudo configuration hardened in this way:
Defaults env_reset
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Defaults use_pty
Defaults timestamp_timeout=0

Listening services: dhcpv6.

Disabled services: cups, samba-client, ssh, llmnr-client, llmnr-tcp, llmnr-udp.

Command for disabled services:
sudo systemctl disable --now cups
sudo firewall-cmd --remove-service=samba-client --permanent
sudo firewall-cmd --zone=public --set-target=DROP --permanent
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="224.0.0.0/4" drop'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv6" source address="ff00::/8" drop'
sudo firewall-cmd --reload

Services that have been “unpowered” by removing usable ports through firewall-config: llmnr-client, llmnr-tcp, llmnr-udp.

Verification for listening services:
sudo firewall-cmd --list-all
sudo firewall-cmd --list-services
ss -tulpn
sudo dnf install nmap
nmap localhost

Assumptions: hardware, firmware, and kernel are not malicious; baseline security involving system integrity, lateral movement, control flow validation, memory protections, and privilege escalation is trusted but should be strengthened according to threat model.

New learned info: sandboxes can be created using Firetools Config, internet access can be blocked using Portmaster, Firejail has these flags: net=none, --memory-deny-write-execute, --private-bin, --protocol=unix,inet,inet6. None of these new learned info have been implemented yet.

Goals: learn browser hardening, learn attack surface reduction, learn SELinux, learn Firewall filtering, learn seccomp, cgroups, and namespaces, learn everything about Firejail, Bubblewrap, Flatpak, and Bubblejail. Progress ongoing for Firejail, Bubblejail, SELinux, seccomp, and namespaces.

Security constraint = reduction of achievable attacker state space. Depending on context, that reduction:
- prevents certain executions entirely;
- limits execution capabilities;
- reduces impact of compromised execution.

My mindset: former designer and tweaker of high-assurance-like security environments based on Windows, preference for least-privilege and default-deny above isolation of interaction, first-principles-driven, aware of the principles of Saltzer and Schroeder, somewhat aware of IPC pipelines, learner of Linux Assembly 64-bit, creative thinking, researcher of enforcement and execution boundaries. I believe that in-memory attacks are inevitable and can only be somewhat constrained. Control flow is mostly bypassable if the values can be overwritten or the stages of the program are jumped.

I learned how to make a Firejail sandbox using .desktop files. Look:

[Desktop Entry]
Name=Firefox (Sandboxed)
Exec=firejail --private=/home/local83/sandbox/firefox --dns=1.1.1.1 --dns=9.9.9.9 --seccomp --caps.drop=all --nonewprivs --no3d --netfilter firefox -no-remote
Icon=firefox
Type=Application
Categories=Network;WebBrowser;

This is the certification standard I had in my server in 2021 and 2022, and explained through the building of a hospital:

- Three bedrock layers all around the internals;
- Two lava layers in between the three bedrock layers;
- Double doors protected by the plugin Lockette;
- Two pairs of double doors, both protected by the plugin Lockette, to raise the packets sent by a hacker and trigger the Anti-Cheat more reliably;
- Region that forces survival mode, disables commands, and prevents placing blocks or removing blocks using the plugin WorldGuard;
- Permissions reviewed to ensure that even admins can’t bypass Lockette and WorldGuard;
- Exterior hospital appearance hides the structural and environmental hardening.

Threat model: TNTs can’t damage the interiors, pickaxes don’t break anything useful, ender pearls glitching either doesn’t work or ends in lava, pistons glitching doesn’t work, saplings glitching is mitigated, admin permissions are restricted by configurations.

In simulation games, I have creativity and can spot vulnerable opportunities.

I tend to perform a blend of scouting, engineering, skirmishing, ambushing, formation and tempo disruption, surprise attacks on rears and flanks, sabotage, raiding (stealing logistics), infiltration, and intelligence-gathering.

Since the roles are specific and the combination may be unique, I’m not sure if a role could exist in real life that would match my tactics.

I’m thinking to make a prototype of an operating system eventually, and my immediate thought was how to implement least privilege. I already knew that Assembly had syscalls (mov rax, 60 for example), and comparative functions (cmp/test), so I came up with an idea: what if the source code of my program allowed only the syscall 1 (write), and disregards everything else through conditional flow performing null operations? Would this work to be considered a “sandbox”?