TransWikia.com

Isolate non-FOSS "completely"

Unix & Linux Asked by user654789384 on December 4, 2020

My question today is about the access-rights and control a program gets systemwide.
I use a Linux distro as my daily-driver, mainly for software development but also for daily operations.

I really like the idea of FOSS, however, I personally need additional tools. In this example I will take MS Teams as one such.

It’s worth pointing out that I know my way around an OS like GNU/Linux, but I’m just a simple user and do not have deep know-how of how an OS operates.

Question

If I have an application like teams, is there no way I can let it run on my system, but limit its "power"? In this case:

  • I would like to sandbox teams so it’s normally only able to talk to MS so I can chat or call (So only internet access + microphone access, no access to my files or any other thing it does not need for my purpose).
  • Then in some cases, it shall be allowed to screen share, but I would need to give it access EVERY TIME when I initiate a screen cast.
  • and many more cases like this, again, teams just as one example…

What utilities are already existing for me to achieve this? Or do they not exist yet? Why not?

Thanks for your comments.

One Answer

Sandbox

firejail

microphone access

AFAIK there are no tools for that however you can mute the microphone in pavucontrol for the app and unmute it only when required.

Talk only to MS servers

Running as a separate user (using xhost/export DISPLAY= might be required depending on your distro and invocation) and using iptables -O OUTPUT -d IP_ADDRESS --uid-owner $USERNAME/nftables add rule filter output meta skuid $USERNAME counter. Then there's an application level firewall but I'm not sure it works as the project seems to be abandoned: https://github.com/Douane/

it shall be allowed to screen share, but I would need to give it access EVERY TIME when I initiate a screen cast

AFAIK there are not such tools in Linux. With the X11 security model each application can grab the entire screen any time it wants. You can however run it using a different Xorg server (Xorg :1) in which case it won't be able to access your primary screen (:0) but screen sharing will become impossible.

If you are paranoid/concerned, I'd suggest running the application in a VM (e.g. VirtualBox). It will completely isolate the app from your host PC but at the expense of not being able to share your screen.

Answered by Artem S. Tashkinov on December 4, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP