firejail
ufw
And docker
if you are paranoid. (You can completely shut off the network of specific commands -- can't get any better (and safer) than that!).
firejail
ufw
And docker
if you are paranoid. (You can completely shut off the network of specific commands -- can't get any better (and safer) than that!).
Firejail has some big security flaws. There us bubblejail, which uses the way better bubblewrap also used for Flatpaks.
But the Bubblewrap and Flatpak Situation is quite complex. Flatpaks, as well as Podman containers, require user namespaces. Through these namespaces programs can get privileged access to system components, which is why secureblue now has bubblewrap-suid
installed.
bubblejail maybe uses that binary already, or it needs to be patched too.
I keep seeing firejail being recommended though, were the security flaws still not fixed?
I love ufw... So straightforward and easy to use.
It's a pity that docker doesn't work with it well...
Doesn't podman solve that issue?
Yup securitywise I would also say Podman > Docker
To add to this systemd can do everything they can. You can isolate network, do fire-walling, and sandboxing pretty easily. Any OCI container can be used too if you don’t want to install something too.
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0