I want to run a shell script that might open my browser to a specific website. I don’t want the page to load when this happen. But I cannot switch off my internet access also (as I use the internet to remotely access another system at the same time). So I am planning to isolate the run time environment for the shell script.
I an on Arch and I used to use a AUR package called bubblejail to do this. But with the whole AUR security fiasco, I am not trusting any packages from AUR. I can switch to another distro if needed, like Rocky or something.
So my requirement is, Internet sandboxing for a terminal and the processes it spawns. Preferably using flatpak commands.
Edit: I tried disabling the internet usage for a terminal from Flathub using Flatseal. Sure I cannot curl after this, but when I launch my browser using it, it had Internet access.
That’s honestly a fair point. Firejail is simpler to use, but is still imperatively driven. Nixpak relies on declarative expression which is kinda the whole selling point of NixOS. For SUID, again I think its a matter of complexity vs containment. One is easier, one is better isolated.
Firejail still might be the better choice in this given case, but that would depend on whether or not this is a per-user setup. Nixpak would win outright I would think outside that just based on reproducibility. I don’t think the user shared details on why/who this would be for.