Sandboxing suite for desktop programs

Not entirely sure this is the right place, but hoping it would be useful/interesting to the Whonix community. (Feel free to remove/ask me to repost elsewhere if this is not the right place).

I have recently written a sandboxing suite for some desktop programs I use quite often (e.g. browsers, PDF readers).

Some recent designs took inspiration from sandbox-app-launcher (System-wide sandboxing framework - sandbox-app-launcher), but overall objective is to make each script more tailored to the program rather than making a general tool.

Main features

  • Private home for programs
  • Shell interpreter access is removed in the sandbox
  • Access to number of binaries is minimized (via bubblewrap and AppArmor)
  • Fairly strict seccomp filters are supplied to bubblewrap
  • Fairly strict AppArmor profiles are generated

Repo: https://github.com/darrenldl/sandboxing

(README “Profiles” section contains an overview of profiles ready to be used)

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]