from FineCoatMummy@sh.itjust.works to privacy@lemmy.ml on 17 Jun 20:49
https://sh.itjust.works/post/61981499
Hey you beautiful privacy scoundrels! You magnificently private rascals and scamps!
I used this tool for a long time. Well I found something new and wanted to share.
Firejail is an easy single shot sandboxer. It’s easier than spinning up a whole ass VM. You can read about it if you wanna. What I wanted to share is, the network part of it. Which I never knew about before today!
There’s an option called netlock. What it does is, it tracks any outgoing network IP the sandboxed app connects to for 60s. Then everything after that is blocked. That will print the block list it uses. You can edit it if you want, as a base. Adding or removing addresses, w/e. When you are happy, you can save and use it with the netfilter option.
It’s great for let’s say a podcast app, that will connect to one or a few IPs, but should not send anything to anywhere else. Or even apps that should be 100% local, and you want to keep honest apps honest.
You can do all that with a VM too, by using firewalls and w/e. But this is handy for one off uses. Cases you don’t want a whole ass VM. If you trust an app to not be a trojan, but you don’t totally trust where it might phone home to. You can make sure it of what it’s doing. Like block analytics, but allowing a legit network endpoint for functionality.
threaded - newest
Firejail is awesome, I love it on my desktop to sandbox games and browsers.
It’s basically an easier version of SELinux for end users.
You don’t need it for Flatpaks, there you want to use Flatseal.
You also don’t need it for Snaps since you shouldn’t use Snaps and instead switch to a different distribution which is not Ubuntu. Try Debian or literally anything else without Snaps.
Oh and thank you for the netlock feature! Can you do more than 60s so you can click around and test more?
Oh!! I do that too. Agreed, it’s awesome for this. Easiest way to do it I’ve found. Single player games, I never, ever want them sending anything to anywhere. Also it can sandboxes their filesystem access.
Hmm… I think so? Maybe? Man page says:
But I haven’t yet stumbled on hte way to change it, so I can’t say how.