[vojant]

Maybe you can use docker instead?

http://fabiorehm.com/blog/2014/09/11/running-gui-apps-with-d...

https://blog.jessfraz.com/post/docker-containers-on-the-desk...

[LinuxBender]

Docker is just a container and not a sandbox. There are no controls in the kernel to prevent something from leaving the container unless you enable restrictions outside of docker such as SELinux. There is a lot of development around SELinux+Docker right now.

[amouat]

There's actually a project called Subuser https://github.com/subuser-security/subuser which uses Docker to secure desktop applications.

[vojant]

Thanks for sharing, this looks interesting.

[InsideTheBox]

X11 forwarding doesn't cause any problems? I imagine I would easily be running 6 sandboxed apps at the same time.

From what I heard you can escape docker anyway so I would need something like SubUser (suggested by amouat)

[aw3c2]

I was told docker runs things as root and is not secure, just convenient.

[amouat]

There's no reason a Docker container has to run as root. The daemon does, but that's another issue.

[audidude]

If you are connecting to X, it doesn't matter. You can attack all other X11 clients by design. This is why GNOME is pushing so heavily on xdg-app (for the sandbox) and the wayland-enabled GNOME shell (so apps can't snoop on each other).

[timthelion]

Subuser uses XPRA, so it shouldn't suffer from this problem: http://subuser.org/news/0.3.html#the-xpra-x11-bridge

[anthk]

Wayland doesn't have the Xinput disaster.