[sf-lug] Sandboxing Zoom
Akkana Peck
akkana at shallowsky.com
Tue May 26 13:15:09 PDT 2020
It's great to have the option of all these virtual meetings
everybody's running now ... but I'm unhappy about needing to
install proprietary binaries like Zoom and Discord on my system.
I'd like to find a way of sandboxing them.
Are any of you sandboxing those untrusted proprietary apps?
How do you do it?
I found something called firejail that sounded perfect. From the
description, it seemed to be sort of an easy chroot (that can also
wall off networking, devices, system calls and other services).
Sounded perfect! After a bit of fiddling with it, I had
firejail --private /path/to/sandbox zoom
running fine ... but then when I called up Settings to adjust where
recordings were stored, it still had full access to my homedir.
It wasn't in a chroot jail at all. (This may be specific to zoom:
I tried it with a couple other apps and they only saw the sandbox.
Maybe child processes aren't jailed?)
So I set up an Ubuntu install inside virtualbox, and installed Zoom
there. That sorta works ... but the CPU load is ridiculous (this on
my fancy new Carbon X1 gen 7, I don't even want to think what it
would have been on my older machines), the fan is blasting at full
speed, everything is super laggy, and I get occasional warnings
that the high CPU use is causing a poor zoom experience (no kidding).
Zoom by itself, outside of virtualbox, doesn't use anywhere near
that kind of CPU load and has much better performance.
Would kvm/qemu be less CPU hungry than virtualbox? Or should I be
looking at Docker? I've never tried Docker ... would it give me a more
effective sandbox than firejail? I've been avoiding it because when
I google, I find tons of "here's a pre-made Docker image for you"
and hardly any "here's how to set up your own Docker image".
Any other good sandboxing options?
...Akkana
More information about the sf-lug
mailing list