@alven You are really hardheaded and I like people who are like that when it comes to security
Ok in general you are targeting users who have no idea about firewalls, right? Since only certain programs are affected by such behavior, surely it would make more sense to isolate those programs instead of establishing a global software firewall. Thatās where the firejail program comes into play, for example.
- System calls with seccomp can be restricted
- Incoming connections are blocked by default (at least for programs that need it, exception are for example transmission-gtk). This can also be further restricted.
- Access to the file system can be restricted.
- There are already profiles that provide a minimum level of security.
So in the end, firejail uses just about all the security features offered by the Linux kernel. The tool targets the home user and is relatively easy to use. There is also already a GUI for it.
So in general, itās not the kernel thatās the problem, but the programs that exhibit unpredictable behavior or are proprietary and therefore tend to be less trusted.
If you really want to do something, then please do so, but not so half-heartedly with a firewall.
How to explain it to a normal user? So if you install a program on Android for example, then the apps are sandboxed like that. You have to allow these programs to have privileges on installation, but there are also apps that can manage the privileges and restrict it further. Firejail is something like that, but has its own rules, which are not set by the developers of the programs.
Frequently Asked Questions Ā· netblue30/firejail Wiki Ā· GitHub
Here is a profile for vlc for example:
ā ~ cat /etc/firejail/vlc.profile
# Firejail profile for vlc
# Description: Multimedia player and streamer
# This file is overwritten after every install/update
# Persistent local customizations
include vlc.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/vlc
noblacklist ${HOME}/.config/vlc
noblacklist ${HOME}/.config/aacs
noblacklist ${HOME}/.local/share/vlc
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
read-only ${DESKTOP}
mkdir ${HOME}/.cache/vlc
mkdir ${HOME}/.config/vlc
mkdir ${HOME}/.local/share/vlc
whitelist ${HOME}/.cache/vlc
whitelist ${HOME}/.config/vlc
whitelist ${HOME}/.config/aacs
whitelist ${HOME}/.local/share/vlc
include whitelist-common.inc
include whitelist-player-common.inc
include whitelist-var-common.inc
#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
caps.drop all
netfilter
nogroups
noinput
nonewprivs
noroot
nou2f
protocol unix,inet,inet6,netlink
seccomp
shell none
private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
private-dev
private-tmp
# dbus needed for MPRIS
# dbus-user none
# dbus-system none