While there are many Open Source solutions for browser-based videoconferencing and online meetings, like BigBlueButton or Jitsi, I am still forced to use zoom in a lot of contexts.
But the zoom web client lacks a lot of functionality and generally does not work well in my experience.
On the other hand I absolutely distrust the zoom client. Just inspect the strings that appear in the binary of the launcher…
$ strings /opt/zoom/ZoomLauncher | grep grep pacmd list-sinks |grep 'name:\|module:'
Yes, they are using a lot of shell commands in their compiled binaries.
Firejail to the rescue!
In short, Firejail is a wrapper that allows to limit what a process is allowed to to with regards not only to the filesystem but also all other aspects of your system.
A profile is used to define the permissions and view on the filesystem, then the binary is called via the Firejail wrapper.
This approach allows me to always use the latest published version of the client, provided as .deb by zoom and install it directly on my system. Which makes updating really easy.
Prerequisites
I created two directories in my home, zoom.back and zoom.data to store Images to use for virtual backgrounds in the first and to store recordings or files downloaded via zoom client in the other.
The Profile
You probably have to tune the profile file below, according to your needs, with regards to filesystem access and mounted directories. It can probably be improved additionally but below profile works for me.
include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-xdg.inc include /etc/firejail/disable-exec.inc include /etc/firejail/disable-devel.inc apparmor read-only ~/ whitelist ~/zoom.back read-write ~/zoom.back whitelist ~/zoom.data read-write ~/zoom.data whitelist ~/.zoom read-write ~/.zoom whitelist ~/.config/zoomus.conf read-write ~/.config/zoomus.conf private-tmp private-dev private-cache private-cwd private-etc group,hostname,passwd,profilem,bash.bashrc,fonts blacklist /mnt blacklist /data blacklist /media netfilter dns 8.8.8.8 dns 8.8.4.4 protocol inet,inet6,netlink,unix nodvd notv seccomp nonewprivs caps.drop all noroot # needed by zoom: memory-deny-write-execute nogroups shell none dbus-user none dbus-system none nou2f
My startup script
As a bonus I am checking if my camera is attached and enable the microphone profile on my headset before starting zoom. The important line is the last command, make sure when copy pasting to have no trailing whitespace after the backslashes.
#!/bin/bash
# switch the audio profile of my headset
~/bin/headset meeting
# check if my external camera is attached, as
# firejail will only show devices already present
lsusb -d 046d:0825
if [ ! "$?" -eq 0 ]; then
# wait until ok is pressed
xmessage "Turn on camera!"
fi
# call zoom in the jail, write a trace file to inspect
# afterwards if it crashed or throws errors
firejail --trace=~/.zoomtrace \
--profile=~/.firejail-zoom-profile \
/usr/bin/zoom $@
The Result
The zoom client and all it’s client processes should now not be able to access your home directory or drop files somewhere etc. With that I am somewhat less concerned running that binary on my user account on my main working machine.
Below you see how the dialog to choose a virtual background looks like with that profile.
Software Versions
I am currently running Debian 11.1 and the deb-package versions are zoom 5.8.4.210, and 0.9.64.4-2 for firejail and firejail-profiles.