this post was submitted on 14 Jun 2026

15 points (94.1% liked)

Linux

65954 readers

372 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

How to run a Flatpak Terminal without internet permission? (discuss.tchncs.de)

submitted 1 week ago* (last edited 1 week ago) by brokenwing@discuss.tchncs.de to c/linux@lemmy.ml

13 comments fedilink hide all child comments

I want to run a shell script that might open my browser to a specific website. I don't want the page to load when this happen. But I cannot switch off my internet access also (as I use the internet to remotely access another system at the same time). So I am planning to isolate the run time environment for the shell script.

I an on Arch and I used to use a AUR package called bubblejail to do this. But with the whole AUR security fiasco, I am not trusting any packages from AUR. I can switch to another distro if needed, like Rocky or something.

So my requirement is, Internet sandboxing for a terminal and the processes it spawns. Preferably using flatpak commands.

Edit: I tried disabling the internet usage for a terminal from Flathub using Flatseal. Sure I cannot curl after this, but when I launch my browser using it, it had Internet access.

all 14 comments

sorted by: hot top controversial new old

[–] Eggymatrix@sh.itjust.works 5 points 1 week ago

Yet again a reminder that flathub solves a problem most people don't have, and most users het confused with what it does.

We have had granular permissions for users on systems for 50 years, and virtual machines for 30 years, yet people keep using the wrong tool for the job just because the wrong tools keep getting popilar for some damn reason.

OP you are using your flatpack terminal wrong, the processes it launches do not inherit the constraints, or at least are not forced to follow them. Use a separate user account for that.

[–] mcmodknower@programming.dev 4 points 1 week ago (1 children)

You want to find a way to remove the "open other programs" permission from the terminal. Or run it in a VM without internet connection.

[–] thanksforallthefish@literature.cafe 2 points 1 week ago (1 children)

Yeah, that's the simple answer. Install a VM, don't give it network access. Probably quicker to install a distro with a ready rolled installer (Ubuntu/Fedora etc) than to install Arch

VirtualBox is quick to install and easy to use (but the owner of Oracle, Larry Ellison is evil so not the moral choice). Qemu-KVM is a bit more of a faff but is FOSS.

[–] CorrenteAlternata@lemmy.blahaj.zone 5 points 1 week ago

Qemu-KVM is a bit more of a faff but is FOSS.

If they use virt-manager most of the faff is handled for you in a way very similar to Virtual Box. It's not just as easy and you have to learn its idiosyncrasies. But I recommend trying it!

[–] blobjim@hexbear.net 3 points 1 week ago

You need to figure out what B-Bus API is called to open the URL, and block it using the flatpak run argument --no-talk-name=NAME

[–] dieTasse@feddit.org 2 points 1 week ago

You have to block the browser from the internet not the terminal.

[–] A_norny_mousse@piefed.zip 2 points 1 week ago

firejail should be able to do this with a carefully crafted command line or config file.

[–] Mordikan@kbin.earth 2 points 1 week ago (1 children)

I don't think flatseal isolates child processes, only the flatpak itself.

You could use firejail. That is available outside the AUR. As there is no socket available, if testing with a browser it should force the browser to crash. You could also try setting up a network namespace that only binds to loopback in case you want local device network access.

EDIT: I don't think you need to switch distros to solve this problem, but if you do you could try NixOS. Obviously there is no AUR, but you can write .nix config files to fine tune how firejail automatically works with specific applications:

programs.firejail = {
  enable = true;
  wrappedBinaries = {
    
    firefox = {
      executable = "${pkgs.firefox}/bin/firefox";
      profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
      extraArgs = [
        "--private-home=.mozilla"
        "--whitelist=\${HOME}/Desktop/BrowserSandbox"
      ];
    };

    transmission-qt = {
      executable = "${pkgs.transmission-qt}/bin/transmission-qt";
      profile = "${pkgs.firejail}/etc/firejail/transmission-qt.profile";
      extraArgs = [
        "--net=none"
      ];
    };
    
  };
};

[–] sudoer777@lemmy.ml 2 points 1 week ago* (last edited 1 week ago) (1 children)

On NixOS why not use Nixpak? (which doesn't require SUID binaries)

[–] Mordikan@kbin.earth 1 points 1 week ago

That's honestly a fair point. Firejail is simpler to use, but is still imperatively driven. Nixpak relies on declarative expression which is kinda the whole selling point of NixOS. For SUID, again I think its a matter of complexity vs containment. One is easier, one is better isolated.

Firejail still might be the better choice in this given case, but that would depend on whether or not this is a per-user setup. Nixpak would win outright I would think outside that just based on reproducibility. I don't think the user shared details on why/who this would be for.

[–] RheumatoidArthritis@mander.xyz 1 points 1 week ago

There is likely a less complicated way to do it but sudo to another user account and then run it with the protection. This way it can't reach your web browser. Or - I don't know if your program can do it, but Firejail certainly can - hide browser binaries and xdg-open from it, but I don't know how effective this will be against your particular script.

If you don't trust something maybe don't run it on your main OS?

[–] HelloRoot@lemy.lol 1 points 1 week ago

portmaster can turn off internet for a specific app, but even better it can block specific domains

actually just putting the website domain (with local ip or something) into hosts file will be enough

[–] OneCardboardBox@lemmy.sdf.org -1 points 1 week ago

You said you don't want the page to load. Do you even care if the browser opens?

What about overriding the default browser application that the terminal tries to use? Maybe there's some env variable to override the xdg browser default, and you could point it to a script that exits instantly.