/proc/cpuinfo
(Related: Restrict Hardware Information to Root)
To hide hardware identifiers, we could add a hardware info permission to sandbox-app-launcher. Then, only apps users have chosen can access hardware identifiers like CPU information.
Perhaps such a feature could be implemented in sandbox-app-launcher [archive] (development discussion [archive]) which would be useful in case of buggy / misbehaving applications not accidentally DDOS’ing the host as well as compromised applications trying to benchmark the VM.
Apparmor supports rlimit rules we can set.
https://manpages.debian.org/buster/apparmor/apparmor.d.5.en.html#rlimit_rules
In sandbox-app-launcher, currently it only sets a 200 process limit to prevent fork bombs but we can restrict it further.
rlimit supports many types of restrictions.
https://manpages.debian.org/buster/manpages-dev/setrlimit.2.en.html