undefined | Better HN

0 pointseikenberry7y ago0 comments

> I have been using a directory-per-program sandboxing setup for several years (and still do).

I'm curious how you do this? What's your setup?

0 comments

I have a heavily-patched version of less-popular sandboxing program (appjail). When I want to handle some files from questionable origin, I create a directory (~/jailboxes/gregs_avi_files) and use appjail to switch to that directory in terminal. Unlike firejail, appjail defaults to full $HOME isolation (and have knobs for Xorg support, so X11 apps work out of box without access to parent /home). There are command-line switches for X11-based and pure terminal environments. It is also possible to whitelist/blacklist individual files in /dev etc. from command line.

I don't use Flatpak etc. — all of my jails use system-wide libraries and executables. They are just launched inside sandbox environment.

j / k navigate · click thread line to collapse

0 pointseikenberry7y ago0 comments

> I have been using a directory-per-program sandboxing setup for several years (and still do).

I'm curious how you do this? What's your setup?

0 comments

altfredd7y ago

I don't use Flatpak etc. — all of my jails use system-wide libraries and executables. They are just launched inside sandbox environment.

j / k navigate · click thread line to collapse