AnswerBun.com

Isolate non-FOSS "completely"

Unix & Linux Asked by user654789384 on December 4, 2020

My question today is about the access-rights and control a program gets systemwide.
I use a Linux distro as my daily-driver, mainly for software development but also for daily operations.

I really like the idea of FOSS, however, I personally need additional tools. In this example I will take MS Teams as one such.

It’s worth pointing out that I know my way around an OS like GNU/Linux, but I’m just a simple user and do not have deep know-how of how an OS operates.

Question

If I have an application like teams, is there no way I can let it run on my system, but limit its "power"? In this case:

  • I would like to sandbox teams so it’s normally only able to talk to MS so I can chat or call (So only internet access + microphone access, no access to my files or any other thing it does not need for my purpose).
  • Then in some cases, it shall be allowed to screen share, but I would need to give it access EVERY TIME when I initiate a screen cast.
  • and many more cases like this, again, teams just as one example…

What utilities are already existing for me to achieve this? Or do they not exist yet? Why not?

Thanks for your comments.

One Answer

Sandbox

firejail

microphone access

AFAIK there are no tools for that however you can mute the microphone in pavucontrol for the app and unmute it only when required.

Talk only to MS servers

Running as a separate user (using xhost/export DISPLAY= might be required depending on your distro and invocation) and using iptables -O OUTPUT -d IP_ADDRESS --uid-owner $USERNAME/nftables add rule filter output meta skuid $USERNAME counter. Then there's an application level firewall but I'm not sure it works as the project seems to be abandoned: https://github.com/Douane/

it shall be allowed to screen share, but I would need to give it access EVERY TIME when I initiate a screen cast

AFAIK there are not such tools in Linux. With the X11 security model each application can grab the entire screen any time it wants. You can however run it using a different Xorg server (Xorg :1) in which case it won't be able to access your primary screen (:0) but screen sharing will become impossible.

If you are paranoid/concerned, I'd suggest running the application in a VM (e.g. VirtualBox). It will completely isolate the app from your host PC but at the expense of not being able to share your screen.

Answered by Artem S. Tashkinov on December 4, 2020

Add your own answers!

Related Questions

KDE plasma update

1  Asked on February 17, 2021 by jazahalka

       

python3 binary in /usr/local/bin but also…not?

1  Asked on February 17, 2021 by sam-dillard

     

How can I migrate/backup/restore a virt-manager snapshot?

1  Asked on February 16, 2021 by user73383

 

awk match last record and print

3  Asked on February 16, 2021 by darioit

   

How to stop marking while in tmux copy-mode?

2  Asked on February 15, 2021 by shuzheng

       

Configuring Debian Buster (10) for IPv6 with DHCP

2  Asked on February 13, 2021 by chmike

   

tar / pack `a-r` “unreadable” files

0  Asked on February 13, 2021 by ald-in

       

How to change ssh agent unix socket location on server side

2  Asked on February 13, 2021 by aisbaa

 

When linux use https_proxy instead of http_proxy?

1  Asked on February 12, 2021 by user103567

   

curl REST calls with Pagination

0  Asked on February 11, 2021 by laktak

     

How to mount a cifs share from a SMB3 linux server?

1  Asked on February 11, 2021 by elbarna

 

How to make grep to blink the matched pattern?

1  Asked on February 11, 2021 by s

   

Ask a Question

Get help from others!

© 2022 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir