What is the best sandboxing solution on Linux?

I want to use a sandboxing solution on Linux to sandbox my games I play (like Minecraft). The problem is there is so much information that is quite scary. I hear that Flatpak has issues (https://flatkill.org/), Firejail has issues (Linux | Madaidan's Insecurities), and Bubblewrap is apparently not really supposed to be a tool directly accessed by the user (Can ease of use be closer to that of firejail? · Issue #266 · containers/bubblewrap · GitHub).

If I strictly want to sandbox apps for privacy reasons (meaning the game can’t access my microphone or personal files), which one is the best?

I use Proxmox and just put these games in a VM with GPU passthrough.

You can also use Windows but the kind of games that need windows have anticheat that doesn’t like VMs

I use them in flatpak with flatseal where possible and it runs flawless.

  • use Wayland
  • use pipewire (more secure isolation than pulse)
  • opensnsnitch for network monitoring
  • use flatseal to tweak what permissions you want

Do this all on a gaming profile and not an admin account and it should be a fairly good setup.

1 Like

For a more balanced perspective you should read: Response to flatkill.org | TheEvilSkeleton

Unless you’re running malware, I doubt the developers of normal applications are going to circumvent a specific form of sandboxing on the already tiny Linux market share just to do something the user doesn’t want in a way that could result in terrible press coverage, so the actual “strength” of the sandbox in your use case probably doesn’t matter much.

I believe Flatpak (or maybe Snap if you’re on Ubuntu?) should be able to do this. If it’s not done by default you can just use Flatseal as Eebzter suggested.