Integration with firejail / crabjail / bubblewrap #927
Replies: 2 comments 1 reply
-
Moved to ideas. I don't think we should add this. I don't even know how we could integrate it, or what the user would expect from opensnitch in this regard. I mean, this is an application firewall and I guess that no-one expects that it will fully isolate applications, only controls network activity. It can intercept and block connections by application, but that's all. It can be configured to intercept connections from containers, but it's not enabled by default. On the other hand, apps like firejail control all aspects of an application, from filesystem to networking: you can enable/disable network protocols for the isolated applications, so some functionality is already there. |
Beta Was this translation helpful? Give feedback.
-
Seems like there was quite a bit of miscommunication here mostly by not describing well what would be a rather useful feature. Flatpak is an increasingly common solution for distributing programs in a sandbox with all required dependencies. Problem is that while it went the questionable way of trying to emulate phone apps with many of their limitations, it stopped even short of that, because it's not isolating networking. OpenSnitch could help here with some namespace awareness which seems to be lacking (that's also a security problem). The trickier part is higher level integration, but I can see that being out of scope.
Regarding the need of namespace awareness and security issue, there's a problem mostly with mount namespaces. |
Beta Was this translation helpful? Give feedback.
-
I have posted a question in netblue30/firejail#5779 (comment)
I got one reply with
OpenSnitch is just a firewall, though pretty cool, especially UI. I think THE answer would be to integrate Firejail with it (or just the UI)
I actually prefer crabjail tho https://codeberg.org/crabjail/issues/issues/1, because I am biased towards Rust, and firejail has obscure, ambiguous syntax for configuration. I often have to edit the profiles that I have no clue what they mean at all.
The integration would make it the one-stop solution for linux-sandboxing. Flatpak does too much by being both a package manager and sandbox, and it still doesn't support netns natively. For the package managing part Nix is better, preferably with IPFS.
Beta Was this translation helpful? Give feedback.
All reactions