How can I firejail the whole operating system? [answer: you can't]

[paolus4]

I apologize if the question has already been asked: I have searched multiple times, but have not found anything about it. I would like to shield the entire operating system (about internet connection), leaving only some specific programs to connect to the internet. What should I do to firejail the entire Linux first?

[rusty-snake]

What should I do to firejail the entire Linux first?

TL;DR: Not possible, use a LMS like SELinux or AppArmor.

It's difficult to "Firejail the whole operating system" because:

1. What's "the whole operating system"? Everything in the userspace, only the user session or is the kernel included. And what's with the boot loader, the UEFI/BIOS and IME or PSP? Strictly speaking is "Linux" only the kernel and you can not protect it from the userspace, because ring4 is inferior to ring0.
2. So what's if we just want to jail the userspace? With a custom pid1 that starts firejail it's maybe possible, however that would be very hacky and does not work together with systemd and point 3 and 4.
3. So let's say we jail only the user session, what would happen? Your whole session would run in one sandbox. Every fork-exec is still in the same namespace (sandbox / jail / ...), it inherits. => Block internet for everything or nothing.
4. What's with program that do not work inside firejail? If they are started in a inherited sandbox you can't use them.

Related: #397.