> iptables don't let you know when a particular program tries to access an outside host and choose whether you want to allow that.
How does this model work for commonly used programs like curl? Do you block it and can't use it at all in your shell scripts, or do you whitelist it and hope that nefarious programs don't use it to exfiltrate data?
This is complicated, yes. This is why I didn't manage to achieve the perfect result with AppArmor - many of the apps I used on Linux are non-native so it seemed I could only allow/block the entire Python or a JVM (or curl, but I rarely use it so not a problem for me). Perhaps there was a way to analyse the parent process and/or the command line, perhaps whatever, AppArmor (let alone SELinux) felt too complicated (and cumbersome to operate) to waste time.
On Windows and Mac I don't really mind enabling/disabling whole Python/Java/whatever because I can do so in a couple of clicks (and I use more native apps there anyway, many untrusted native apps in particular).
By the way there are many processes on Linux which I would like to silence and theoretically could silence by just removing them as I never need them: I mean Avahi, Samba etc. However, today distros have all sorts of essential packages depending on these and won't let you uninstall them without destroying everything.
How does this model work for commonly used programs like curl? Do you block it and can't use it at all in your shell scripts, or do you whitelist it and hope that nefarious programs don't use it to exfiltrate data?