I want to run a shell script that might open my browser to a specific website. I don’t want the page to load when this happen. But I cannot switch off my internet access also (as I use the internet to remotely access another system at the same time). So I am planning to isolate the run time environment for the shell script.
I an on Arch and I used to use a AUR package called bubblejail to do this. But with the whole AUR security fiasco, I am not trusting any packages from AUR. I can switch to another distro if needed, like Rocky or something.
So my requirement is, Internet sandboxing for a terminal and the processes it spawns. Preferably using flatpak commands.
Edit: I tried disabling the internet usage for a terminal from Flathub using Flatseal. Sure I cannot curl after this, but when I launch my browser using it, it had Internet access.
Yet again a reminder that flathub solves a problem most people don’t have, and most users het confused with what it does.
We have had granular permissions for users on systems for 50 years, and virtual machines for 30 years, yet people keep using the wrong tool for the job just because the wrong tools keep getting popilar for some damn reason.
OP you are using your flatpack terminal wrong, the processes it launches do not inherit the constraints, or at least are not forced to follow them. Use a separate user account for that.
You have to block the browser from the internet not the terminal.
deleted by creator
You want to find a way to remove the “open other programs” permission from the terminal. Or run it in a VM without internet connection.
Yeah, that’s the simple answer. Install a VM, don’t give it network access. Probably quicker to install a distro with a ready rolled installer (Ubuntu/Fedora etc) than to install Arch
VirtualBox is quick to install and easy to use (but the owner of Oracle, Larry Ellison is evil so not the moral choice). Qemu-KVM is a bit more of a faff but is FOSS.
Qemu-KVM is a bit more of a faff but is FOSS.
If they use virt-manager most of the faff is handled for you in a way very similar to Virtual Box. It’s not just as easy and you have to learn its idiosyncrasies. But I recommend trying it!
You need to figure out what B-Bus API is called to open the URL, and block it using the
flatpakrun argument--no-talk-name=NAMEfirejailshould be able to do this with a carefully crafted command line or config file.I don’t think flatseal isolates child processes, only the flatpak itself.
You could use firejail. That is available outside the AUR. As there is no socket available, if testing with a browser it should force the browser to crash. You could also try setting up a network namespace that only binds to loopback in case you want local device network access.
EDIT: I don’t think you need to switch distros to solve this problem, but if you do you could try NixOS. Obviously there is no AUR, but you can write .nix config files to fine tune how firejail automatically works with specific applications:
programs.firejail = { enable = true; wrappedBinaries = { firefox = { executable = "${pkgs.firefox}/bin/firefox"; profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; extraArgs = [ "--private-home=.mozilla" "--whitelist=\${HOME}/Desktop/BrowserSandbox" ]; }; transmission-qt = { executable = "${pkgs.transmission-qt}/bin/transmission-qt"; profile = "${pkgs.firejail}/etc/firejail/transmission-qt.profile"; extraArgs = [ "--net=none" ]; }; }; };portmaster can turn off internet for a specific app, but even better it can block specific domains
actually just putting the website domain (with local ip or something) into hosts file will be enough
There is likely a less complicated way to do it but sudo to another user account and then run it with the protection. This way it can’t reach your web browser. Or - I don’t know if your program can do it, but Firejail certainly can - hide browser binaries and xdg-open from it, but I don’t know how effective this will be against your particular script.
If you don’t trust something maybe don’t run it on your main OS?
