Isolate non-FOSS "completely"

Unix & Linux Asked by user654789384 on December 4, 2020

My question today is about the access-rights and control a program gets systemwide.
I use a Linux distro as my daily-driver, mainly for software development but also for daily operations.

I really like the idea of FOSS, however, I personally need additional tools. In this example I will take MS Teams as one such.

It’s worth pointing out that I know my way around an OS like GNU/Linux, but I’m just a simple user and do not have deep know-how of how an OS operates.


If I have an application like teams, is there no way I can let it run on my system, but limit its "power"? In this case:

  • I would like to sandbox teams so it’s normally only able to talk to MS so I can chat or call (So only internet access + microphone access, no access to my files or any other thing it does not need for my purpose).
  • Then in some cases, it shall be allowed to screen share, but I would need to give it access EVERY TIME when I initiate a screen cast.
  • and many more cases like this, again, teams just as one example…

What utilities are already existing for me to achieve this? Or do they not exist yet? Why not?

Thanks for your comments.

One Answer



microphone access

AFAIK there are no tools for that however you can mute the microphone in pavucontrol for the app and unmute it only when required.

Talk only to MS servers

Running as a separate user (using xhost/export DISPLAY= might be required depending on your distro and invocation) and using iptables -O OUTPUT -d IP_ADDRESS --uid-owner $USERNAME/nftables add rule filter output meta skuid $USERNAME counter. Then there's an application level firewall but I'm not sure it works as the project seems to be abandoned:

it shall be allowed to screen share, but I would need to give it access EVERY TIME when I initiate a screen cast

AFAIK there are not such tools in Linux. With the X11 security model each application can grab the entire screen any time it wants. You can however run it using a different Xorg server (Xorg :1) in which case it won't be able to access your primary screen (:0) but screen sharing will become impossible.

If you are paranoid/concerned, I'd suggest running the application in a VM (e.g. VirtualBox). It will completely isolate the app from your host PC but at the expense of not being able to share your screen.

Answered by Artem S. Tashkinov on December 4, 2020

Add your own answers!

Related Questions

KDE plasma update

1  Asked on February 17, 2021 by jazahalka


python3 binary in /usr/local/bin but also…not?

1  Asked on February 17, 2021 by sam-dillard


How can I migrate/backup/restore a virt-manager snapshot?

1  Asked on February 16, 2021 by user73383


awk match last record and print

3  Asked on February 16, 2021 by darioit


How to stop marking while in tmux copy-mode?

2  Asked on February 15, 2021 by shuzheng


Configuring Debian Buster (10) for IPv6 with DHCP

2  Asked on February 13, 2021 by chmike


tar / pack `a-r` “unreadable” files

0  Asked on February 13, 2021 by ald-in


How to change ssh agent unix socket location on server side

2  Asked on February 13, 2021 by aisbaa


When linux use https_proxy instead of http_proxy?

1  Asked on February 12, 2021 by user103567


curl REST calls with Pagination

0  Asked on February 11, 2021 by laktak


How to mount a cifs share from a SMB3 linux server?

1  Asked on February 11, 2021 by elbarna


How to make grep to blink the matched pattern?

1  Asked on February 11, 2021 by s


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir