lattera
commented
2 years ago Out of curiosity, is HardenedBSD supported?
Open BawdyAnarchist opened 2 years ago
lattera
commented
2 years ago Out of curiosity, is HardenedBSD supported?
BawdyAnarchist
commented
2 years ago Out of curiosity, is HardenedBSD supported?
It's all written in shell script, and only makes calls to native FreeBSD commands, mostly jail, jexec, and zfs. So it probably should work just fine for HardenedBSD as well.
The installer script is somewhat manual, requiring that the user walk through all of the jail and virtual machine installer blue screens, so I think the installer script should also work.
0xc1c4da
commented
1 year ago Really cool project, I found myself in the same situation as you, Librem 15 v4 running Qubes but suffering perf issues, found your project awhile back when considering moving to HardenedBSD w Jails/bhyve - waiting for the rewrite before I migrate, albeit on a much beefier machine :)
How are you thinking about secure communication (clipboard and file sharing) between compartments? Are we intending to replicate the qrexec protocols? (Edit: Looks like vchan would require grant tables and event channels, I haven't found any equivalent under bhyve)
Under Qubes I use the Mirage Unikernel Firewall , while the qubes-mirage-firewall implements the Qubes protocols directly, an adaptation could be attractive for the net-firewall gateway.
uses safe (bounds-checked, type-checked) OCaml code to process network traffic, uses less than a tenth of the memory of the default FirewallVM, boots several times faster, and should be much simpler to audit or extend.
Are you open to donations? Setup some crypto addresses, would love to support the project.
ps Love the "LICENSE"
dchmelik
commented
11 months ago I'd like to see a version focused more for average desktop users than extra security. I was interested in Qubes but (apart from I dislike systemd) didn't want network restrictions and would't want my application virtual machines (VMs) destroyed on each start. The unique thing I like is being able to use X programs from any OS (that might have some my main OS doesn't), not extra security.
BawdyAnarchist
commented
11 months ago @dchmelik
In Qubes you can make standalone VMs that fit this purpose. The reality is that my system is not a VM-focused system (although it does have relatively straightforward VM installations). It's a jails focused system, and I believe really should only be used with a tiling window manager. The native integration is i3wm, but you could pretty easily set up with any other capable WM.
Qubes with Xen, has a smoother GUI experience. quBSD is definitely a bit more manual, but it's also more flexible. You can do more things with it. It also performs better than Qubes, because jails are far more lightweight as security containers.
One thing I am trying to do that helps compensate for some of the necessary command line operation required with quBSD, is to create a default setup for stuff like Wireguard VPNs (which can be a pain to set up in Qubes), and offer pre-made jails for various purposes.
Maybe one day I'll learn how to front end, and make a nice GUI for it. For now, it was simply an outgrowth of a set of scripts I personally used for jails operation.
If you would like to offer and ideas or suggestions that aren't necessarily issues or bugs, please put them here. All feedback is welcome!