Max-P

I would distrust my carrier well before I distrust the encryption. Even when roaming, your Internet is tunnelled through your carrier using an internal VPN. It even works in China, that’s a fairly common way to get around their firewall.

A system where everything is sandboxed by default exists too, you do that with a rule that denies everything that’s not explicitly labeled for being allowed.

Only your package manager knows, at install time, how to label an application such that it only have access to the stuff it needs access to. That information have to come from somewhere.

Security is inherently a compromise. You’ve always been able to mount /home noexec so users can’t execute non-approved stuff. But then Steam doesn’t work, none of the games work because that makes them all foreign executables you’re not allowed to execute. Steam has Flatpak-specific code to make it work with the nested sandbox.

It’s up to the distros to make those choices for the desired user experience. Most regular distros are a bit old fashioned and leaves a lot of freedom to the user. And you can have a distro for workstations at offices where you really cannot run anything but company software, for security. Or a distro like Steam OS so regular users can’t really break it.

Mainly because it’s not the kernel’s job. It provides abstractions to access the hardware, manages memory and manages processes, it doesn’t care what userspace does that’s userspace’s problem.

The kernel is responsible for enforcing security policies, but not for writing them or discovering them. It doesn’t know what an “app” is, or what a permission would look like.

It’s the userspace that assigns labels to files and SELinux policies so that the kernel is programmed to know what the boundaries are. As an example, when you log in on a Linux computer, logind ends up assigning your user access to the keyboard, mouse, display and audio to your user and then starts your session and that’s how you get access to those /dev nodes. If you switch user they’re yanked away from you so the other user can use them without you snooping on it.

Userspace uses the kernel’s features to implement the permission systems. That’s basically what Flatpak does: leverage those kernel features to sandbox the application. And it works great and is effective.

Android also uses the Linux kernel and its features for its own sandbox and permission system too.

Generally, the kernel provides the tools for userspace to be able to do things, that’s its purpose. For example all the OpenGL and Vulkan stuff is in userspace, not the kernel, the kernel doesn’t know what Vulkan is and doesn’t care. It mediates access to the GPU and reserving memory on it anf uploading code to it. The code comes from your GPU driver in userspace.

That’s also effectively what Flatpak and Snap uses, and also Steam’s Runtime also uses containers.

I also wanted to put an emphasis on how working with virtual disks is very much the same as real ones. Same well known utilities to copy partitions work perfectly fine. Same cgdisk/parted and dd dance as you otherwise would.

Technically if you install the arch-install-scripts package on your host, you can even install ArchLinux into a VM exactly as if you were in archiso with the comfort of your desktop environment and browser. Straight up pacstrap it directly into the virtual disk.

Even crazier is, NBD (Network Block Device) is generic so it’s not even limited to disk images. You can forward a whole ass drive from another computer over WiFi and do what you need on it, even pass it to a VM boot it up.

With enough fuckery you could even wrap the partition in a fake partition table and boot the VM off the actual partition and make it bootable by both the host and the VM at the same time.

What you’re trying to do is called a P2V (Physical to Virtual). You want to directly copy the partition as going through a file share via Linux will definitely strip some metadata Windows wants on those files.

First, make a disk image that’s big enough to hold the whole partition and 1-2 GB extra for the ESP:

qemu-img create -f qcow2 YourDiskImageName.qcow2 300G

Then you can make the image behave like a real disk using qemu-nbd:

sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 YourDiskImageName.qcow2

At this point, the disk image behaves like any other disk at /dev/nbd0.

From there create a partition table, you can use cgdisk or parted or even the GUI GParted will work on it.

And finally, copy the partition over with dd:

sudo dd if=/dev/sdb3 of=/dev/nbd0p2 bs=4M status=progress

You can also copy the ESP/boot partition as well so the bootloader works.

Finally once you’re done with the disk image, unload it:

sudo qemu-nbd -d /dev/nbd0

It’s literally been working just fine for like a decade? Even for NVIDIA users that’s kind of a stretch.

Maybe if you share more details about your issues and your setup we can help fix it.

The ads come from an ad network where there is very little visibility into what’s going to be displayed in your app. And bad people also keep managing to get their ads published even though the ad network doesn’t allow them

And it all ties into the whole targeted advertising, where they also make sure very few people get the bad ad, and tries to target people they think may be more susceptible to these kinds of tactics. Depending on the amount of interactivity allowed, the ad can even display two different things if it deems you too savvy to fall for it.

It’s basically unescapable unless you only use apps without ads, or pay for the ad-free versions.

The whole advertising industry is sketchy, more news at 10.