How to restrict the permission of an application

How can I restrict the file system permissions of an application?
Normally, if you don’t have a SELinux profile, that app, under the same user can do pretty much everything, if the FS permissions allow.

Is AppArmor the right solution to avoid this sort of risk?
Looking online, it looks a bit raw… Too many manual actions to make it work.

I’m searching for a solution to sandbox every app I use, mainly the browser, the most improtant attack vector for me.

I guess the quick and dirty way to do it is to browse via a VM if you really want isolation. Malware can still escape through the VM can still happen but probably less likely.

There is a Linux distro called QubeOS, which is designed for that

hmmm I’ve never used a sandbox but I’ve seen people say they use firejail sometimes;

http://www.slackbuilds.org/repository/14.2/system/firejail/

or if you’re on void;
xbps-install firejail

other distros - idk lol.

In a hypothetical world if i worked for an online marketing company and needed to test something like a web browser addon, I would just use a VM and accept the overhead :slight_smile:

meh.

or maybe…;
[user@user dir]# firejail virtualbox-ose some_os_vdi ? luls

Anyway, I think QuebesOS is well-suited for those who want to sandbox everything :slight_smile:

Thanks all.
The objective was to configure a sandbox on the fly for whatever application, just to avoid QubeOS, between HW incompatibility and other instability concerns is not something I can use on daily basis…

I found also this Sandboxing - Fedora Project Wiki
Withotu copy ans paste it may be a challenge, the example is with FIrefox but I think it may work with anyapplication.

No one found a better solution?

I only heard about Firejail and Mbox. Both are fairly straightforward to use.

I ended up requiring root-access to directories that contain sensitive information.

to sandbox every app I use, mainly the browser, the most improtant attack vector for me

Can you elaborate, how a browser can become an attack vector for your filesystem?

Not quite sure where are you going, but i can recommend linux mint web apps. It will isolate your browser profile, however if you want bulletproof OS there is only one way to go…

  1. Create live usb image of your system (don’t use linux live usb! default firefox profile is garbage)
  2. Remove yours HDD/SDD (you can still wipe/damage/catch malware on your disks with live USB).
  3. Boot with USB, and do whatever you want. It’s read only FS… Reboot and all traces and modifications are gone…
    Have fun