hngopher.com

       [HN Gopher] Firejail - Sandbox Linux Applications
       ___________________________________________________________________
        
       Firejail - Sandbox Linux Applications
        
       Author : thushanfernando
       Score  : 24 points
       Date   : 2020-11-10 21:39 UTC (1 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | pythux wrote:
       | I have been using Firejail for a few years now and absolutely
       | love it. It is now a central part of my setup and workflows. Here
       | are two features I use regularly:
       | 
       | - The "virtual home" specified with --private=/path/to/folder
       | runs the app with the specified folder as a home folder. I use
       | this for all the apps I sandbox to make sure my real home does
       | not get polluted by tens of config files, cache, etc. Removing
       | all traces of an app is now as easy as deleting /path/to/folder;
       | I find this pretty neat to keep my home folder organized (each
       | app gets its own home in ~/.sandboxes/<app name>).
       | 
       | - Starting an app with --private (without any argument) will run
       | it into a temporary/disposable home folder which will be cleaned
       | up when the app is stopped. I use it to run some apps I don't
       | really trust and don't need persistence for (e.g. I start Chrome
       | with this option so that I get a fresh home, hence profile, every
       | time I need it, same for Zoom when I need to join a meeting---not
       | very often).
       | 
       | And of course all the profiles that are built-in to customize the
       | sandboxing to most popular apps is great!
       | 
       | I'm really thankful for the work being done on this project.
        
       | cameronperot wrote:
       | I've used Firejail for years and can definitely recommend it! It
       | has a lot of nifty features, e.g. network namespacing via the
       | --net argument.
        
       | qwerty456127 wrote:
       | Can this provide application firewall kind of network control,
       | like Little Snitch?
        
       | neolog wrote:
       | Sandboxing needs to happen by default for all applications,
       | without additional work by users. It needs to be an OS-level
       | feature.
        
       | srgpqt wrote:
       | Neat. On the server, we use bubblewrap, a similar tool
       | (comparison with firejail is in bubblewrap readme)
       | 
       | https://github.com/containers/bubblewrap
        
       ___________________________________________________________________
       (page generated 2020-11-10 23:01 UTC)