Firstly, I’m not an security expert. I’m only long-time Linux user and C/PHP/JS programmer.
I have an idea how to protect user configuration. There is, of course, SeLinux, which could protect per-application access to files, but it isn’t bundled in many distribution, because vendors decided it’s too complicated. And yet - OpenSUSE could have many positive things, if implement it. Mostly… It will act like PolicyKit, so OpenSUSE won by standardization of mechanism, which protect user config.
The base idea is simple… Create - for each user - additional user with different home directory and UID. Both users will belongs to the same group, so hack is to set read permission to our user of additional user’s home directory, but not write. Programs could read files from this home directory and could trust content won’t be changed by unauthorized operation.
User could change config in described new home directory, by admin rights (sudo, admin file manager protocol or other mechanism), fish or sudo (but it requires to set password for described user) or by new daemon, started on user login and working with rights of second user (with secured home). This daemon could be like PolicyKit, but uses private DBus session (newly created Unix socket, to which could only writes/read user’s program). Each program, installed in system by package manager, could install new program, which be automatically started by DBus on request. And these programs could writes in protected home directory.
This idea doesn’t protect from mess config files from one program by daemon of other program, but if user installs programs by package manager, it is still security risk, right?
Program should be changed in one, simple way - read configuration from protected home and… allow to set option to include configuration form normal home directory. For example, I present example proxy configuration of web browser:
In protected home:
In not-protected home:
But more important is setting in protected home.
Of course - some program could debug our program and change it’s memory directly, but this is a thing, somebody should solve.