Features

Exploit mitigation

Install and enable hardened_malloc globally, including for Flatpaks. ^{Thanks to rusty-snake’s spec}
Install our Chromium-based browser Trivalent, which is inspired by Vanadium. ^{Why Chromium?} ^{Why not Flatpak Chromium?}
Restrict unprivileged user namespaces via SELinux policy
Harden the kernel via numerous sysctl values ^details
Harden the kernel via numerous kernel arguments (Inspired by Madaidan’s Hardening Guide) ^details
Configure chronyd to use Network Time Security (NTS) ^{using chrony config from GrapheneOS}
Set opportunistic DNSSEC and DNS over TLS for systemd-resolved
Install USBGuard and provide ujust commands to automatically configure it

Remove suid-root from numerous binaries, replacing functionality using capabilities, and remove sudo, su, and pkexec entirely in favor of run0 ^why?
Disable XWayland by default (for GNOME, Plasma, and Sway images)
Mitigate LD_PRELOAD attacks via ujust toggle-bash-environment-lockdown
Disable install & usage of GNOME user extensions by default
Disable KDE GHNS by default ^why?
Remove the unmaintained and suid-root fuse2 by default
Disable unprivileged user namespaces by default for the unconfined domain and the container domain ^why?
Prohibit ptrace attachment ^why?

Blacklist numerous unused kernel modules to reduce attack surface ^details
Protect against brute force by locking user accounts for 24 hours after 50 failed login attempts, providing password quality suggestions and making use of hardened password encryption
Disable and mask a variety of services by default (including cups, geoclue, passim, and others)

Install Bubblejail for additional sandbox tooling
Provide tooling for automatically setting up and enabling LUKS TPM2 integration for unlocking LUKS drives
Provide tooling for automatically setting up and enabling LUKS FIDO2 integration for unlocking LUKS drives
Provide toggles for a variety of the hardening set by default, for user convenience (ujust --choose)