[ATsch]

That's pretty cool. I wish Chromium supported this on Linux too. It seems more like a Chromium feature than an openbsd feature to me though? Linux programs installed via say flatpak have this on by default.

[snazz]

unveil(2) is an OpenBSD-specific feature, although you could accomplish something very similar with Linux and another sandboxing tool (or SELinux, but that might be overkill). I highly recommend you read the man page for unveil(2), it's very cool: https://man.openbsd.org/unveil

[ATsch]

> unveil(2) is an OpenBSD-specific feature

Yes, I am aware. I thought it was pretty obvious that when I said "it's a chrome feature" I didn't mean "unveil(2)" but being able to restrict access to the filesystem. Which is possible with both linux and openbsd, of course. Alas, the downvoters seem to disagree.

[gigatexal]

I think if you run a snap package without privileges it is pretty sandboxed too.

[_emacsomancer_]

Presumably only if AppArmor is available.

[gigatexal]

ahh i didn't know that -- thanks. I think it's enabled by default on ubuntu? or was it Fedora to run SELINUX by default?

[_emacsomancer_]

Yes, Ubuntu has it enabled by default - so Snaps are first class citizens on Ubuntu. I think the upcoming release of Debian may also have AppArmor by default.