System-wide sandboxing framework - sandbox-app-launcher

Not sure.

It should work but it’s currently untested. Please try it if you can and report back.

ALSA is still actively updated and isn’t the bane of sandboxes unlike PulseAudio.

I’d suggest that Whonix remove PulseAudio entirely but that’d be for a separate thread.

We mount an empty tmpfs over /tmp. Anything in /tmp outside of the sandbox cannot be accessed from within.

Yes, this is more geared towards end-user applications, not any system software.

bubblewrap can be nested only if using user namespaces. Otherwise, if using setuid, it will disable itself with no_new_privs.

Can’t we just write to /tmp and copy it over?

Yes. Sandboxing programs running as the same user has historically, never seriously worked well. It’s been the cause of many issues with e.g. Flatpak. It’s why Android/iOS have always used separate users.

2 Likes