What is the best sandboxing solution on Linux?

I want to use a sandboxing solution on Linux to sandbox my games I play (like Minecraft). The problem is there is so much information that is quite scary. I hear that Flatpak has issues (https://flatkill.org/), Firejail has issues (Linux | Madaidan's Insecurities), and Bubblewrap is apparently not really supposed to be a tool directly accessed by the user (Can ease of use be closer to that of firejail? · Issue #266 · containers/bubblewrap · GitHub).

If I strictly want to sandbox apps for privacy reasons (meaning the game can’t access my microphone or personal files), which one is the best?

1 Like

I use Proxmox and just put these games in a VM with GPU passthrough.

You can also use Windows but the kind of games that need windows have anticheat that doesn’t like VMs

I use them in flatpak with flatseal where possible and it runs flawless.

  • use Wayland
  • use pipewire (more secure isolation than pulse)
  • opensnsnitch for network monitoring
  • use flatseal to tweak what permissions you want

Do this all on a gaming profile and not an admin account and it should be a fairly good setup.

1 Like

For a more balanced perspective you should read: Response to flatkill.org | TheEvilSkeleton

Unless you’re running malware, I doubt the developers of normal applications are going to circumvent a specific form of sandboxing on the already tiny Linux market share just to do something the user doesn’t want in a way that could result in terrible press coverage, so the actual “strength” of the sandbox in your use case probably doesn’t matter much.

I believe Flatpak (or maybe Snap if you’re on Ubuntu?) should be able to do this. If it’s not done by default you can just use Flatseal as Eebzter suggested.

I’ve played around with this on and off over the last year. Here’s my two cents:

Firejail has a very old manual and 1-2 YouTube videos that only walk you through the basics that are covered in the manual intro. I did OK with the preset options but struggled a lot when I went even slightly off the beaten path.

I started down an AppArmor rabbit hole in the past and was too confused. I tried it again today and came to the conclusion that:

  1. Few modern packages are covered w/ a relevant apparmor profile out of the box
  2. Of the software profiles available, the majority by default are either disabled or allowed to do whatever as long as they write to logs… ~75% by my estimate
  3. Quite a few modern software packages have profiles ‘included’ but those profiles are empty.
  4. AppArmor kinda forces you to get your hands dirty by creating a custom profile from the start instead of providing a hello-world option or something similar to get the ball rolling.

Open to feedback, but my current understanding is:

  1. Create a .service file for the game (or edit it if it already exists)
  2. Use flags like TemporaryFileSystem=/home (and something like BindReadOnlyPaths=/home/user/Downloads:/home/user/Downloads if you needed to mount your Downloads folder). There’s a rough breakdown of systemd hardening options here or in the manpages via man systemd.exec.5)
  3. Set up your .desktop file to launch the .service file (or launch from the terminal w/ systemctl if you’re too lazy for the extra step)
1 Like