13
How to run a Flatpak Terminal without internet permission? (discuss.tchncs.de)
submitted 22 hours ago* (last edited 22 hours ago) by brokenwing@discuss.tchncs.de to c/linux@lemmy.ml
10 comments fedilink hide all child comments

I want to run a shell script that might open my browser to a specific website. I don't want the page to load when this happen. But I cannot switch off my internet access also (as I use the internet to remotely access another system at the same time). So I am planning to isolate the run time environment for the shell script.

I an on Arch and I used to use a AUR package called bubblejail to do this. But with the whole AUR security fiasco, I am not trusting any packages from AUR. I can switch to another distro if needed, like Rocky or something.

So my requirement is, Internet sandboxing for a terminal and the processes it spawns. Preferably using flatpak commands.

Edit: I tried disabling the internet usage for a terminal from Flathub using Flatseal. Sure I cannot curl after this, but when I launch my browser using it, it had Internet access.

all 11 comments
sorted by: hot top controversial new old
[-] Eggymatrix@sh.itjust.works 1 points 6 hours ago

Yet again a reminder that flathub solves a problem most people don't have, and most users het confused with what it does.

We have had granular permissions for users on systems for 50 years, and virtual machines for 30 years, yet people keep using the wrong tool for the job just because the wrong tools keep getting popilar for some damn reason.

OP you are using your flatpack terminal wrong, the processes it launches do not inherit the constraints, or at least are not forced to follow them. Use a separate user account for that.

[-] dieTasse@feddit.org 2 points 10 hours ago

You have to block the browser from the internet not the terminal.

[-] mcmodknower@programming.dev 4 points 21 hours ago

You want to find a way to remove the "open other programs" permission from the terminal. Or run it in a VM without internet connection.

[-] thanksforallthefish@literature.cafe 2 points 20 hours ago

Yeah, that's the simple answer. Install a VM, don't give it network access. Probably quicker to install a distro with a ready rolled installer (Ubuntu/Fedora etc) than to install Arch

VirtualBox is quick to install and easy to use (but the owner of Oracle, Larry Ellison is evil so not the moral choice). Qemu-KVM is a bit more of a faff but is FOSS.

[-] CorrenteAlternata@lemmy.blahaj.zone 4 points 16 hours ago

Qemu-KVM is a bit more of a faff but is FOSS.

If they use virt-manager most of the faff is handled for you in a way very similar to Virtual Box. It's not just as easy and you have to learn its idiosyncrasies. But I recommend trying it!

[-] blobjim@hexbear.net 2 points 19 hours ago

You need to figure out what B-Bus API is called to open the URL, and block it using the flatpak run argument --no-talk-name=NAME

[-] A_norny_mousse@piefed.zip 2 points 20 hours ago

firejail should be able to do this with a carefully crafted command line or config file.

[-] Mordikan@kbin.earth 1 points 20 hours ago

I don't think flatseal isolates child processes, only the flatpak itself.

You could use firejail. That is available outside the AUR. As there is no socket available, if testing with a browser it should force the browser to crash. You could also try setting up a network namespace that only binds to loopback in case you want local device network access.

EDIT: I don't think you need to switch distros to solve this problem, but if you do you could try NixOS. Obviously there is no AUR, but you can write .nix config files to fine tune how firejail automatically works with specific applications:

programs.firejail = {
  enable = true;
  wrappedBinaries = {
    
    firefox = {
      executable = "${pkgs.firefox}/bin/firefox";
      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
      extraArgs = [
        "--private-home=.mozilla"
        "--whitelist=\${HOME}/Desktop/BrowserSandbox"
      ];
    };

    transmission-qt = {
      executable = "${pkgs.transmission-qt}/bin/transmission-qt";
      profile = "${pkgs.firejail}/etc/firejail/transmission-qt.profile";
      extraArgs = [
        "--net=none"
      ];
    };
    
  };
};
[-] HelloRoot@lemy.lol 1 points 20 hours ago

portmaster can turn off internet for a specific app, but even better it can block specific domains

actually just putting the website domain (with local ip or something) into hosts file will be enough

[-] RheumatoidArthritis@mander.xyz 1 points 20 hours ago

There is likely a less complicated way to do it but sudo to another user account and then run it with the protection. This way it can't reach your web browser. Or - I don't know if your program can do it, but Firejail certainly can - hide browser binaries and xdg-open from it, but I don't know how effective this will be against your particular script.

If you don't trust something maybe don't run it on your main OS?

this post was submitted on 14 Jun 2026
13 points (100.0% liked)

Linux

65744 readers
1019 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz