Locking down a user as much as humanly possible

So basically, I’m gonna use a separate user account on my device to run excessive amounts of untrusted code and applications, and I’m a little lost how exactly to lock down that user.

I know they shouldn’t really be able to write outside of their home directory granted the user isn’t in any groups(especially wheel), however lets pretend for a second I’m using this user to run lots and lots of potential malware trying to escalate, communicate, etc.

Let’s start with what I don’t know, nftables and firewalld are quite confusing to me(yes I read the manuals, I just can’t wrap my head around it, networking and firewall software is above my level of understanding). I want to completely block all internet access for this user, either using firewalld or nftables are acceptable(although I don’t really know which one is “better”, “more secure”, or more robust). I did see how to do using iptables, but I’m not going to try to use iptables when nftables is the new standard and is superior from my understanding.

I would also like to know how to prevent the user from accessing plain binaries in /usr/bin. I have wrappers in /usr/local/bin, which will wrap certain binaries in bwrap and have other customization such as exporting a JAVA_HOME variable before executing specific programs. I want my system to through out an error if that user attempts /usr/bin/vlc bluray:///dev/sr0 for example, without the wrapper. I don’t actually know if this is possible to do, but it would be nice.

Conversely, I don’t want the other users in the system to be able to access those binaries or the local wrappers. I assume that the answer to the last question will also be a sufficient answer to this question, but I’m unsure, because I want them to have different levels of access to the same binaries, without messing with the permissions in /usr/bin.

I know how to use bwrap and manage file permissions and groups, but I believe there may be other ways to lock down this user that I simply just haven’t thought of yet. I have considered partitioning a third install or using a second device, but I can’t afford the hardware for that and also I would like to do this without re-partitioning my laptop with a third operating system, it’s just excessive imo. Virtualization is also not feasible for my use case, I would lose too much performance and I’ll probably give my cpu a heat stroke. Also don’t want to use Flatpak or AppImage or Snap. For Flatpak at least, it’s essentially just a bwrap wrapper which I’m already using, regardless I don’t want to use any packaging format for my applications here other than rpm.

Use a virtual machine.

1 Like

Virtualization is also not feasible for my use case, I would lose too much performance and I’ll probably give my cpu a heat stroke.

Console-only vms are okay for me, but I need a gui environment for this user, basically it’ll be for playing blu-rays with java menus(the untrusted code that I was referring to). I remember years ago, I think it was Sony? not sure, anyways they had rootkits in their cds to “prevent piracy”, so it just makes sense to me to treat all code and binaries on disks as potential malware, so if I had a dGPU to passthrough to a vm, then that would be a good solution, but I don’t. Unless maybe there’s a way to pass a vGPU through kvm? similar to how I can give a vm vCPU cores… But as far as I’m aware that’s not possible.

I was trying to be specific in my question, perhaps if there are other methods that I didn’t think of/mention above, that could also be useful. The final paragraph is all the things I’ve thought of that I don’t want to do.