Sandboxing applications on linux
I recently learned how to use firejail, a command-line tool that allows you to run applications in a "secure" sandbox. I have no idea how secure it actually is.
But in my testing of it, I was able to force a script to only write files within its own directory. No idea if firejail prevents system calls that might jump outside of the directory limit.
I did this because I was contributing to an open source project and wanted to test locally before submitting my changes. But I don't know or trust this developer (or the endless stack of NPM dependencies) so I don't want this software running unrestricted on my system.
And the whole experience SUCKED.
It just shouldn't be that hard. And I don't think it would be any easier on Windows either. Idunno.
When I was on Fedora, I remember SELinux doing some of this system-protection by default, which is cool but sometimes got in my way. And when it got in my way it was an absolute headache fixing it.
When I was younger, I would have loved tinkering with that shit. The system config stuff was really interesting to me as a teen. But now, I just wanna write my code, build my software, and have things WORK.
I know flatpaks provide some of these sandboxing features by default. But I've also heard many apps decline to use said protections because it makes things ... hinky? idk. And anyway, flatpaks are always huge and I don't want to run a system of flatpaks. And even then, it's a headache to re-configure if I want to change the sandboxing rules!
Some kind of sandbox-by-default would be incredible.
First time you launch a program, you select which directories/files it has access to (it should be pre-configured with defaults). Reading & writing could both be allowed or managed independently.
And then system services / hardware / whatever features could also be selected. Does it get network access? Bluetooth? Audio input/output? Webcam? Etc.
And then you right-click on the program's icon to re-configure its sandbox if needed. If the program has any sandbox-related errors, the sandbox configuration screen will communicate these and have checkmarks for each proposed fix like 'Allow 'write' access to Pictures/Screenshots directory'.
This is the kind of thing I want.
And if you're running things from the command line, then you can enable/disable sandboxing features globally, say sandbox enable/disable. If enabled, then first-run of a script will prompt this sandbox configuration. If disabled, then sandbox ./script-name can run the sandbox individually.
it would be so delicious