From 1dd44267e5a36811939c1933a86dbb2c13a89f45 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Tue, 6 Jun 2023 01:03:11 -0700
Subject: [PATCH] Mention fancy snap packages

---
 content/posts/linux/Desktop Linux Hardening.md |   5 +++++
 static/images/ubuntu-cups-snap.png             | Bin 0 -> 13 bytes
 static/images/ubuntu-ufw-snap.png              | Bin 0 -> 13 bytes
 3 files changed, 5 insertions(+)
 create mode 100644 static/images/ubuntu-cups-snap.png
 create mode 100644 static/images/ubuntu-ufw-snap.png

diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md
index 8447809..736e55b 100644
--- a/content/posts/linux/Desktop Linux Hardening.md	
+++ b/content/posts/linux/Desktop Linux Hardening.md	
@@ -124,6 +124,11 @@ Snap packages come in [two variants](https://snapcraft.io/docs/snap-confinement)
 
 Snap permissions can be managed via the Snap Store or Ubuntu's custom patched GNOME Control Center.
 
+On Ubuntu, you can replace various .deb packages with strictly confined snaps to minimize the attack surface. Some examples of these packages are the printing stack or `ufw`:
+
+![Cups Snap](/ubuntu-cups-snap.png)
+![UFW Snap](/ubuntu-ufw-snap.png)
+
 One caveat with Snap packages is that you only have control over the interfaces declared in their manifests. For example, Snap has separate interfaces for `audio-playback` and `audio-record`, but some packages will only declare the legacy `pulseaudio` interface which grants access to both play and record audio. Likewise, some applications may work perfectly fine with Wayland, but the package maintainer may only declare the X11 interface in their manifest. For these cases, you need to reach out to the maintainer of the snap to update the manifest accordingly.
 
 ### Firejail
diff --git a/static/images/ubuntu-cups-snap.png b/static/images/ubuntu-cups-snap.png
new file mode 100644
index 0000000000000000000000000000000000000000..ba5213fb23dc34699739844ece8c4e1d3730a40f
GIT binary patch
literal 13
UcmaFAe{X=FJC_s}0|NsW048?>i2wiq

literal 0
HcmV?d00001

diff --git a/static/images/ubuntu-ufw-snap.png b/static/images/ubuntu-ufw-snap.png
new file mode 100644
index 0000000000000000000000000000000000000000..ba5213fb23dc34699739844ece8c4e1d3730a40f
GIT binary patch
literal 13
UcmaFAe{X=FJC_s}0|NsW048?>i2wiq

literal 0
HcmV?d00001