[tobbyb]

Haven't tried mbox yet but Firejail is pretty straight forward to sandbox locally installed apps. You can roll your own namespaced sandbox with unshare but Firejail does that cleanly, adds seccomp support, and is easy to use.

Docker, LXC, Nspawn and other container oriented managers are more focused on running chroots in namespaces so you would need to install the app in the container. In a way a container, especially an unprivileged one is perhaps a bit 'cleaner' as the app is installed in its own chrooted OS and not on the host.

The only thing is running GUI apps in containers is involved in terms of configuration, so Firejail wins for simplicity. Firejail also supports chroots so you can run proper containers with it.

We have a writeup on running accelerated GUI apps in containers here - https://www.flockport.com/run-gui-apps-in-lxc-containers/

[UserRights]

You are distributing an outdated chromium with your demo app - this demonstrates quite clearly the problems with this approach: how to update software?

[tobbyb]

To clarify, this is a preview GUI container, more to show users how to run GUI apps in containers than a Chromium container. You are right hough, We ideally need to keep it updated but it can also be updated directly by users inside the container.

[x5n1]

does firejail protect your filesystem from the application? can the recent firefox exploit steal your ssh keys if firefox was run under firejail?

[anthk]

https://l3net.wordpress.com/2014/09/19/firejail-a-security-s... https://l3net.wordpress.com/2015/02/19/firejail-a-security-s...

[uncreative24]

By default, firejail seems to allow read access to my entire home directory. I believe you have to use the --private flag for it protect you from the recent firefox exploit. And if you want persistence, you can use the --private=directory flag.