On Linux there is OpenSnitch that does its job nicely, although I experienced some occasional desktop slowdowns even after training it to open everything for trusted programs.
I still recall the old days of Windows when I tried Kerio Personal Firewall and realized how much software already phoned home two decades ago. That was the last wake up call that pushed me into getting rid of closed source software, possibly also hardware, especially when they connect to the internet.
Probably the closest thing these days is to use the cgroup match extension, together with something that makes sure separate apps are moved to their own cgroup. But that cgroup would be under a separate parent cgroup for each user so it's not ideal.
I expect NFQUEUE or some EBPF magic is a better way to do things - you don't want to be constantly adding/removing per-process iptables rules.
The owner module can control outbound communication by uid/gid. [1] There are no modules to handle things by PID AFAIK. This can however be accomplished by SELinux and Apparmor custom rules but that is a loaded topic.
Firejail [2] and Bubblewrap [3] can put limits on application capabilities and/or take away network access. Firejail has default policies for many applications, all of which can be overridden by user configurations in their home directory. Firejail leverages Linux Capabilities and AppArmor. For example, when I launch VLC even if it were configured to pull down album information, it could not. If one day they added default-enabled telemetry to VLC it would go nowhere.
A round-about and heavy handed way to manage communications by PID would be to isolation applications in their own VM or container and map the VM or container to a unique user or group.
From what I understand opensnitch use ebpf to match where the exiting packets are going. TCP being TCP, it is easy to know where the incoming answer will be delivered to as well.
Not sure if this would work also for connectionless protocols such as UDP.
That is, if I open a socket and send some datagrams to an external address:port to exfiltrate users data, then close the socket and exit, I don't think it would be able to tell which program did that, unless it detects it live.
OoenSnitch can, but it's not implemented O:) (only as a PoC)
But does it have any sense?
Usually you block inbound connections, allowing only certain services. If a rogue process starts listening on a local port, you could display a warning alert, and as inbound connections are already blocked you'd be safe (as long as you trust netfilter...) and you wouldn't need to ask the user to perform an action.
The slowdowns are because it still has to hold every connection until it can check which program it is coming from and whether that program is trusted or not, even when the same program creates multiple connections.
To get around the slowdowns, I made an alternative program called picosnitch which only monitors connections since I just stop using anything I don't trust or move it to a sandbox. It also uses BPF, has fairly low CPU usage, and some other features for improved reliability and detection of programs.
I second OpenSnitch, I haven't face any shutdowns due to it yet. For those coming from LittleSnitch on macOS might have to look into the finer details of the connection in the Allow/Deny dialog on OS to get the best results.
Slowdowns, not shutdowns, luckily:)
The desktop (XFCE under Debian if that helps) just hung for a while like it was waiting for me to allow some rules, but didn't show the requester to do so, also the timings were random, could have been from 2 seconds to 5 or more.
https://github.com/evilsocket/opensnitch
I still recall the old days of Windows when I tried Kerio Personal Firewall and realized how much software already phoned home two decades ago. That was the last wake up call that pushed me into getting rid of closed source software, possibly also hardware, especially when they connect to the internet.