Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
If anyone want to look further into sandboxing applications on Linux, you can also look at AppArmor and the sandboxing features built into systemd.
I love this repository for bases for AppArmor profiles[1], really good work. Never found a repository as good for systemd, but there are a few around.
[1] https://github.com/roddhjav/apparmor.d
Someone has combined those things to port Pledge to Linux.
https://github.com/jart/pledge
bubblewrap is designed as a low-level too. There is nothing quick and dirty about it. It disallows everything by default and you have to be explicit about what you want to share with the host. If your application needs complex permissions/resources, then you will need to have a complex bubblewrap command line.
Once you have figured out which permissions/resources you need for a given program, you can wrap the command line invocation in a shell script.
If you want other people to do the work of defining permissions/resources, then have a look at firejail: https://github.com/netblue30/firejail
If you're using KDE, they have a native permission manager: https://github.com/KDE/flatpak-kcm