1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

Instruction to disable XWayland

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-04-15 01:26:29 -07:00
parent 0c2cc614d0
commit d824a1ccae
Signed by: Tomster
GPG Key ID: 555C902A34EC968F

View File

@ -387,6 +387,16 @@ The [hardened memory allocator (hardened_malloc)](https://github.com/GrapheneOS/
Kicksecure installs it by default (though not enabled by default) and provides [in&#8209;depth usage instructions](https://www.kicksecure.com/wiki/Hardened_Malloc) relevant to all distributions. On Arch-based systems, hardened_malloc is [available through the AUR](https://wiki.archlinux.org/title/Security#Hardened_malloc). Divested Computing Group maintains an x86_64 [Fedora build](https://github.com/divestedcg/rpm-hardened_malloc) with micro-architecture optimized builds (x86_64_v3, x86_64_v4, etc). SecureBlue provides a [copr repository](https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/) for Fedora with both x86_64 and aarch64 builds, albeit without micro-architecture optimized builds like Divested Computing Group. Kicksecure installs it by default (though not enabled by default) and provides [in&#8209;depth usage instructions](https://www.kicksecure.com/wiki/Hardened_Malloc) relevant to all distributions. On Arch-based systems, hardened_malloc is [available through the AUR](https://wiki.archlinux.org/title/Security#Hardened_malloc). Divested Computing Group maintains an x86_64 [Fedora build](https://github.com/divestedcg/rpm-hardened_malloc) with micro-architecture optimized builds (x86_64_v3, x86_64_v4, etc). SecureBlue provides a [copr repository](https://copr.fedorainfracloud.org/coprs/secureblue/hardened_malloc/) for Fedora with both x86_64 and aarch64 builds, albeit without micro-architecture optimized builds like Divested Computing Group.
### Disabling XWayland
To disable XWayland with GNOME, create `/etc/systemd/user/org.gnome.Shell@wayland.service.d/override.conf` with the following content:
```
[Service]
ExecStart=
ExecStart=/usr/bin/gnome-shell --no-x11
```
### Mountpoint Hardening ### Mountpoint Hardening
Consider adding the [mount options](https://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT_OPTIONS) `nodev`, `noexec`, and `nosuid` to mountpoints which do not need the respective capabilities. Typically, these can be applied to `/boot`, `/boot/efi`, and `/var`. These flags could also be applied to `/home` and `/root`, however `noexec` will prevent applications that require binary execution in those locations from working (including Flatpak and Snap). Consider adding the [mount options](https://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT_OPTIONS) `nodev`, `noexec`, and `nosuid` to mountpoints which do not need the respective capabilities. Typically, these can be applied to `/boot`, `/boot/efi`, and `/var`. These flags could also be applied to `/home` and `/root`, however `noexec` will prevent applications that require binary execution in those locations from working (including Flatpak and Snap).