Open BillDietrich opened 2 years ago
Hi @BillDietrich ,
I think this feature is out of scope of OpenSnitch. Personally I'd run Firefox/Chromium/etc sandboxed, with firejail for example. It allows you run an application isolated from your filesystem: https://firejail.wordpress.com/documentation-2/basic-usage/#filesystem
I agree this would stretch the scope of OpenSnitch. But it seems it would fit fairly naturally into the existing OpenSnitch structure and UI. Just a new type of rule, and a different set of BPF hooks (I don't know much about that).
I have used Firejail and AppArmor and SELinux and various other mechanisms. But doing it in OpenSnitch would mean one GUI for both types of activity, one place to control network and file activity of application X. Convenient for users.
Please keep this request open and think about it, let's see if anyone else comments. Thanks.
The easiest way of implementing it would be by using fanotify:
https://man7.org/linux/man-pages/man7/fanotify.7.html https://pkg.go.dev/github.com/docker-slim/docker-slim/pkg/third_party/madmo/fanotify
I'd like to add a +1 to this but with a twist: what I'd really like to be able to do is redirect some types of file access requests. The use-case would be for a related feature #437 : for a big category of applications, what I want to do is inject MITM certificates - i.e. when using something like mitmproxy - without making system-wide changes or applying such changes globally.
So the ideal model would be setting rules which can remap which file gets opened by a request based on context, and pair that with a rule which will force the connection out through a proxy transparently.
Summary:
Please add support for rules to control file access instead of network access. And support good regex on the file path specification.
For example, I'd like a rule that says "deny always Firefox access to any files outside home/Downloads and home/.mozilla" (on Linux).