Here is a method I have been reading up on for the last few days about how to do application-level isolation on Linux. However, I did not get to complete my testing, so I am leaving the general thought/process here for others to test.
NOTES:
- What I found interesting when I read the documentation was step #3 in which a command alias could be created for running applications in a
chroot
sandbox. - I also did not get to test sandboxing root (which, if didn’t work, could nullify the need/use for most cases).
- I would imagine there are some security vulnerabilities with Firejail itself but I also didn’t get a chance to investigate the level or quantity (but the project does look to be active).
From the firejail documentation (untested):
Step 1: Build a basic Debian sid filesystem:
$ sudo mkdir /chroot-sid
$ sudo debootstrap --arch=amd64 sid /chroot-sid
Step 2: Add a regular user account and install the target application (youtube-dl in this example):
$ sudo firejail --noprofile --chroot=/chroot-sid
# adduser netblue
# apt-get install youtube-dl
# exit
Step 3: Run the application:
$ firejail --chroot=/chroot-sid
$ youtube-dl https://...