Sounds really good in theory.
Would apparmor profiles and other default hardening by packages if any be added “on top”?
Could you please scratch Whonix from the name / folder names? I guess this could be generic. Could be part of apparmor-profile-everything?
main_app_dir=“/usr/share/whonix-apps”
Possibly better in user’s /home folder?
How would an application by started by default using the sandbox wrapper without needing to prepend on command line? The good old problem of non-existence of stackable wrappers.
- ⚓ T634 write draft for stackable wrappers on debian-devel
- proposals/634-stackable-wrappers.txt at master · Kicksecure/proposals · GitHub
I guess this sandbox wrapper could be implemented without solving the stackable wrappers issue but to really make applications benefit by default (actual Kicksecure / Whonix integration) would require that to be done.
TODO: X11 sandbox
Rather than bothering with X11 (which’s days are numbered hopefully in any case), could you figure out change XFCE’s window manager with a window manager that uses wayland? (Wayland and that idea was mentioned here Enlightenment DE - #10 by Patrick)