Thoughts on bubblejail? It’s very easy to use and seems to work very well.
Links
I’m editing/bumping this because it’s been a few months and I think that this is pretty good and should be considered for the sandboxing article.
Here’s how a profile for Brave looks like:
[common]
executable_name = "/usr/bin/brave"
share_local_time = false
filter_disk_sync = false
dbus_name = ""
[wayland]
[network]
[pulse_audio]
[home_share]
home_paths = [
"Downloads",
".config/BraveSoftware",
]
[direct_rendering]
enable_aco = false
[v4l]
[namespaces_limits]
user = 4
mount = 0
pid = -1
ipc = 0
net = 1
time = 0
uts = 0
cgroup = 0
[debug]
raw_bwrap_args = [
"--setenv",
"GTK_THEME",
"Breeze",
"--setenv",
"QT_QPA_PLATFORMTHEME",
"qt6ct",
"--setenv",
"GSETTINGS_BACKEND",
"keyfile",
"--ro-bind",
"/home/user/.config/gtk-3.0",
"/home/user/.config/gtk-3.0",
"--ro-bind",
"/home/user/.config/gtk-4.0",
"/home/user/.config/gtk-4.0",
"--ro-bind",
"/home/user/.config/qt5ct",
"/home/user/.config/qt5ct",
"--ro-bind",
"/home/user/.config/qt6ct",
"/home/user/.config/qt6ct",
"--ro-bind",
"/home/user/.config/brave-flags.conf",
"/home/user/.config/brave-flags.conf",
]
raw_dbus_session_args = [
"--talk=org.freedesktop.portal.Desktop",
]
raw_dbus_system_args = []
You can also create/edit profiles via the GUI.