Hi,
I was trying NixOS as a Desktop and installed Chromium, Brave and Firefox through home-manager.
I did a few checks and first found out the browsers can access by default all the files the users has access to (like file:///etc/
) what I believe is not the case in many other distros (even without sandboxing systems such as Flatpak).
I searched the NixOS options, discourse and users configurations to see how people are usually configuring their browser but couldn’t find how to restrict filesystem access outside of using firejail.
I am not a security expert but always remember this view on firejail Linux | Madaidan's Insecurities
Firejail is another common sandboxing technology; however, it is also insufficient. Firejail worsens security by acting as a privilege escalation hole — Firejail requires being setuid, meaning that it executes with the privileges of the executable’s owner, which in this case, is the root user. This means that a vulnerability in Firejail can allow escalating to root privileges.
Which kind of make sense AFAIK.
So my question is:
What are you recommending today for basic browser hardening/sanboxing and limiting filesystem access (without going as far as firejail with all its tradeoffs).
Thank you for your help !