Sandboxing [ Edit ]

Note: This page is new/incomplete. You can add quick suggestions by clicking the Edit button on top of the page.

Sandboxing is a process of running programs in a separate, isolated environments and thus preventing them from affecting the main system.

Quick overview of sandboxing methods on Linux (roughly listed in the order of safety, convenience and overhead):

  • separate user account - oldest, simplest method - not very much additional safety, low overhead
  • bubblewrap (+ separate user account) (+ AppArmor / SELinux) - kernel is still shared and exposed
  • gVisor - application gets its own "virtual" kernel
  • KVM - virtual machine
  • XEN - virtual machine, generally safer than KVM; if you're interested in this approach, check out QubesOS
  • separate physical machine - safest method, but very inconvenient

It comes down to how much safety you need for your use case - i.e. I'm using bubblewrap for my regular web browsing with Firefox (with tweaks and with JavaScript disabled by default).