From d824a1ccae75bdfdc4b36cea2f901bd0c40d5a8e Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 15 Apr 2024 01:26:29 -0700 Subject: [PATCH] Instruction to disable XWayland Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 2257423..7c6917f 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -387,6 +387,16 @@ The [hardened memory allocator (hardened_malloc)](https://github.com/GrapheneOS/ Kicksecure installs it by default (though not enabled by default) and provides [in‑depth usage instructions](https://www.kicksecure.com/wiki/Hardened_Malloc) relevant to all distributions. On Arch-based systems, hardened_malloc is [available through the AUR](https://wiki.archlinux.org/title/Security#Hardened_malloc). Divested Computing Group maintains an x86_64 [Fedora build](https://github.com/divestedcg/rpm-hardened_malloc) with micro-architecture optimized builds (x86_64_v3, x86_64_v4, etc). SecureBlue provides a [copr repository](https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/) for Fedora with both x86_64 and aarch64 builds, albeit without micro-architecture optimized builds like Divested Computing Group. +### Disabling XWayland + +To disable XWayland with GNOME, create `/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf` with the following content: + +``` +[Service] +ExecStart= +ExecStart=/usr/bin/gnome-shell --no-x11 +``` + ### Mountpoint Hardening Consider adding the [mount options](https://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT_OPTIONS) `nodev`, `noexec`, and `nosuid` to mountpoints which do not need the respective capabilities. Typically, these can be applied to `/boot`, `/boot/efi`, and `/var`. These flags could also be applied to `/home` and `/root`, however `noexec` will prevent applications that require binary execution in those locations from working (including Flatpak and Snap).