-
If anyone want to look further into sandboxing applications on Linux, you can also look at AppArmor and the sandboxing features built into systemd.
I love this repository for bases for AppArmor profiles[1], really good work. Never found a repository as good for systemd, but there are a few around.
[1] https://github.com/roddhjav/apparmor.d
-
InfluxDB
Purpose built for real-time analytics at any scale. InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.
-
Someone has combined those things to port Pledge to Linux.
https://github.com/jart/pledge
-
bubblewrap is designed as a low-level too. There is nothing quick and dirty about it. It disallows everything by default and you have to be explicit about what you want to share with the host. If your application needs complex permissions/resources, then you will need to have a complex bubblewrap command line.
Once you have figured out which permissions/resources you need for a given program, you can wrap the command line invocation in a shell script.
If you want other people to do the work of defining permissions/resources, then have a look at firejail: https://github.com/netblue30/firejail
-
If you're using KDE, they have a native permission manager: https://github.com/KDE/flatpak-kcm