Not entirely sure this is the right place, but hoping it would be useful/interesting to the Whonix community. (Feel free to remove/ask me to repost elsewhere if this is not the right place).
I have recently written a sandboxing suite for some desktop programs I use quite often (e.g. browsers, PDF readers).
Some recent designs took inspiration from sandbox-app-launcher (System-wide sandboxing framework - sandbox-app-launcher), but overall objective is to make each script more tailored to the program rather than making a general tool.
- Private home for programs
- Shell interpreter access is removed in the sandbox
- Access to number of binaries is minimized (via bubblewrap and AppArmor)
- Fairly strict seccomp filters are supplied to bubblewrap
- Fairly strict AppArmor profiles are generated
(README “Profiles” section contains an overview of profiles ready to be used)