Firejail [2] and Bubblewrap [3] can put limits on application capabilities and/or take away network access. Firejail has default policies for many applications, all of which can be overridden by user configurations in their home directory. Firejail leverages Linux Capabilities and AppArmor. For example, when I launch VLC even if it were configured to pull down album information, it could not. If one day they added default-enabled telemetry to VLC it would go nowhere.
A round-about and heavy handed way to manage communications by PID would be to isolation applications in their own VM or container and map the VM or container to a unique user or group.
[1] - https://ipset.netfilter.org/iptables-extensions.man.html
I enable JavaScript if I know who is running a site and where their company is located and/or if I have a binding contract with them. Even then I use disposable containers [1] for those sites and run bleachbit before/after visiting such sites and use sqlite3 to clear visit_time from places.sqlite. I launch Firefox from firejail [2] with AppArmor enforcement.
[1] - https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
Some of its more interesting features (in addition to the obvious path/privilege restrictions):
- putting the application into a separate network namespace with its own firewall rules/network interfaces (for example, you can force Firefox to work through a VPN connection only, or block incoming connections with your main firewall rules and allow them for a single application)
- using a separate X server for each application (works pretty much transparently)
- setting resource limits (network bandwidth, memory, CPU, I/O; although not as flexible as systemd limits, they can be combined)
- running `sudo firecfg` once will create a bunch of symlinks for all applications installed on your system and supported by firejail. After that, those applications will run under a sandbox automatically. Or you can create them manually (I did it for the PDF reader and such).
https://github.com/netblue30/firejail/
It uses the same kernel knobs as systemd does, but is more user-friendly and has more features.
I use it for every application that handles data received from other machines: books, images, documents, whatever.
$ systemd-run --user --scope --property=MemoryHigh=1G qbittorrent
Many isolation flags are not available in `systemd-run --user`, though, so if you'd like to have some protection you either have to combine `sudo systemd-run` with `su -c`, or wrap the command in firejail.
Firejail[0] allows cobbling together various linux sandboxing features, including namespaces which should result in an isolated proc filesystem which doesn't see the other processes. But I don't know if the default profile for zoom does that, you have to test it or write your own.
You can sandbox the majority of your apps on desktop Linux today with two simple commands:
- sudo apt/dnf install firejail
- sudo firecfg
Project: https://github.com/netblue30/firejail
Intro Video: https://www.youtube.com/watch?v=N-Mso2bSr3o
Disclosure, I am a contributor to firejail.
Also if you are already using flatpaks, you can install flatseal to easily point and click which permissions you want:
https://www.flathub.org/apps/details/com.github.tchx84.Flats...
Lastly you can sandbox your systemd daemons:
https://www.freedesktop.org/software/systemd/man/systemd.exe...
Have fun!
Supports Fedora, Arch, Debian, and openSUSE.
Has GNOME, Firefox, kernel cmdline, sysctl, firewalld, NetworkManager, and systemd unit hardening among other things.
Goes well with firejail (am a developer of): https://github.com/netblue30/firejail
https://github.com/netblue30/firejail
It's actually more mature for desktop sandboxing then the other solutions because its been effective for years and has a lot of community work on sandboxing -
https://github.com/chiraag-nataraj/firejail-profiles
If you want to use a prepackaged application vs sandboxing a new app or something in your distribution you should go with -
Not every app is well sandboxed with flatpak but this is the goal and they are making very good progress. Also a great way to track a larger project that your distribution doesn't keep up to date as you'd like.
just to note -- flatpak/flathub use bubblewrap under the covers which is very promising but I don't see the community profiles like firejail yet.
I am mainly a Firefox user on NixOS, but for running Chrom{e,ium} I find that Firejail [0] is a good option. For example, to run chromium in "store" mode and point it to the demo jitsi instance:
firejail --profile=chromium chromium --app="https://meet.jit.si"
nix-shell -p chromium --run "firejail --profile=chromium chromium --app=\"https://meet.jit.si\""
https://github.com/netblue30/firejail
Anything beyond that, and I think you need qubes-os:
1: https://blog.torproject.org/blog/q-and-yawning-angel 2: https://github.com/subgraph/oz 3: https://github.com/netblue30/firejail