Isolate non-FOSS "completely"

Unix & Linux Asked by user654789384 on December 4, 2020

My question today is about the access-rights and control a program gets systemwide.
I use a Linux distro as my daily-driver, mainly for software development but also for daily operations.

I really like the idea of FOSS, however, I personally need additional tools. In this example I will take MS Teams as one such.

It’s worth pointing out that I know my way around an OS like GNU/Linux, but I’m just a simple user and do not have deep know-how of how an OS operates.


If I have an application like teams, is there no way I can let it run on my system, but limit its "power"? In this case:

  • I would like to sandbox teams so it’s normally only able to talk to MS so I can chat or call (So only internet access + microphone access, no access to my files or any other thing it does not need for my purpose).
  • Then in some cases, it shall be allowed to screen share, but I would need to give it access EVERY TIME when I initiate a screen cast.
  • and many more cases like this, again, teams just as one example…

What utilities are already existing for me to achieve this? Or do they not exist yet? Why not?

Thanks for your comments.

One Answer



microphone access

AFAIK there are no tools for that however you can mute the microphone in pavucontrol for the app and unmute it only when required.

Talk only to MS servers

Running as a separate user (using xhost/export DISPLAY= might be required depending on your distro and invocation) and using iptables -O OUTPUT -d IP_ADDRESS --uid-owner $USERNAME/nftables add rule filter output meta skuid $USERNAME counter. Then there's an application level firewall but I'm not sure it works as the project seems to be abandoned:

it shall be allowed to screen share, but I would need to give it access EVERY TIME when I initiate a screen cast

AFAIK there are not such tools in Linux. With the X11 security model each application can grab the entire screen any time it wants. You can however run it using a different Xorg server (Xorg :1) in which case it won't be able to access your primary screen (:0) but screen sharing will become impossible.

If you are paranoid/concerned, I'd suggest running the application in a VM (e.g. VirtualBox). It will completely isolate the app from your host PC but at the expense of not being able to share your screen.

Answered by Artem S. Tashkinov on December 4, 2020

Add your own answers!

Related Questions

Setting up openvpn with a killswitch in a freebsd jail

0  Asked on December 8, 2021 by openvpnwannabe


Play sound from Jenkins script

0  Asked on December 8, 2021


How can I install dpkg and aptitude on Raspbian?

1  Asked on December 8, 2021 by antonio-del-sannio


SSHD: Different configurations for different ports?

1  Asked on December 8, 2021 by goof


Mutt: how to safely store password?

6  Asked on December 6, 2021 by user2362


How to install libprotobuf?

2  Asked on December 6, 2021 by user1762571


How to use NFS4_SETFACL to remove ONLY the GROUP@ ACL permission?

1  Asked on December 6, 2021 by charlie-yang


Debian 9 VmWare Black Screen after reboot

1  Asked on December 6, 2021 by bakedpotatowithcheese


Why does bash’s tab completion trigger the stack protector?

1  Asked on December 6, 2021 by charles-diploma


Capitalise few characters in a word

0  Asked on December 6, 2021 by yuva-raj


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP