I want to run a shell script that might open my browser to a specific website. I don’t want the page to load when this happen. But I cannot switch off my internet access also (as I use the internet to remotely access another system at the same time). So I am planning to isolate the run time environment for the shell script.
I an on Arch and I used to use a AUR package called bubblejail to do this. But with the whole AUR security fiasco, I am not trusting any packages from AUR. I can switch to another distro if needed, like Rocky or something.
So my requirement is, Internet sandboxing for a terminal and the processes it spawns. Preferably using flatpak commands.
Edit: I tried disabling the internet usage for a terminal from Flathub using Flatseal. Sure I cannot curl after this, but when I launch my browser using it, it had Internet access.
I don’t think flatseal isolates child processes, only the flatpak itself.
You could use firejail. That is available outside the AUR. As there is no socket available, if testing with a browser it should force the browser to crash. You could also try setting up a network namespace that only binds to loopback in case you want local device network access.
EDIT: I don’t think you need to switch distros to solve this problem, but if you do you could try NixOS. Obviously there is no AUR, but you can write .nix config files to fine tune how firejail automatically works with specific applications:
programs.firejail = { enable = true; wrappedBinaries = { firefox = { executable = "${pkgs.firefox}/bin/firefox"; profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; extraArgs = [ "--private-home=.mozilla" "--whitelist=\${HOME}/Desktop/BrowserSandbox" ]; }; transmission-qt = { executable = "${pkgs.transmission-qt}/bin/transmission-qt"; profile = "${pkgs.firejail}/etc/firejail/transmission-qt.profile"; extraArgs = [ "--net=none" ]; }; }; };On NixOS why not use Nixpak? (which doesn’t require SUID binaries)
That’s honestly a fair point. Firejail is simpler to use, but is still imperatively driven. Nixpak relies on declarative expression which is kinda the whole selling point of NixOS. For SUID, again I think its a matter of complexity vs containment. One is easier, one is better isolated.
Firejail still might be the better choice in this given case, but that would depend on whether or not this is a per-user setup. Nixpak would win outright I would think outside that just based on reproducibility. I don’t think the user shared details on why/who this would be for.