Scope of application-specific hardening?

[adrelanos]

#146 (which looks nice at first sight) and 1500 AppArmor profiles (impressive scope) woke me up to set the expectations straight for application-specific hardening.

How many applications should be hardened through this repository?

Maybe best to limit security-misc to "global" / "system" wide hardening, have a separate repository for application specific hardening?

Or I could arbitrarily limit the applications to those pre-installed in Kicksecure, Whonix and perhaps some other popular/important applications (even more arbitrary).

However, ~1500 pull requests for all sorts of applications hardening I've never used and reviewing the details of this with DOS the development so this isn't possible.

These expectations need to be set straight in the readme to respect contributor's time.

For a hypothetical ~1500 application hardening settings a separate repository would need to be maintained by somebody else.

[monsieuremre]

How about limit the applicaiton specific hardening to those that are default installed kicksecure/whonix applications. Thunderbird hardening was already in the package, I just added some more lines. We can just limit this manual application specific hardening to:

• Debian Specific System Components (Pretty much just apt probably)
• System Services (Like enabling NetworkManager IPv6 privacy options and enabling MAC address randomization)
• Freedesktop (Like forcing Xorg to run as non-root, which I was planning to create a pull on)
• Kicksecure default user applications (Thunderbird, VLC, KeepassXC, etc.)

[adrelanos]

Sounds good! Can be added to readme.

* Freedesktop (Like forcing Xorg to run as non-root, which I was planning to create a pull on)

Not sure that's worth it. Got any input on the following ones? https://forums.whonix.org/t/port-to-wayland/17380 https://forums.whonix.org/t/custom-desktop-environment-wayland-support/17490

[adrelanos]

Expanded.