How to restrict the permission of an application

How can I restrict the file system permissions of an application?
Normally, if you don’t have a SELinux profile, that app, under the same user can do pretty much everything, if the FS permissions allow.

Is AppArmor the right solution to avoid this sort of risk?
Looking online, it looks a bit raw… Too many manual actions to make it work.

I’m searching for a solution to sandbox every app I use, mainly the browser, the most improtant attack vector for me.

I guess the quick and dirty way to do it is to browse via a VM if you really want isolation. Malware can still escape through the VM can still happen but probably less likely.

There is a Linux distro called QubeOS, which is designed for that

hmmm I’ve never used a sandbox but I’ve seen people say they use firejail sometimes;

http://www.slackbuilds.org/repository/14.2/system/firejail/

or if you’re on void;
xbps-install firejail

other distros - idk lol.

In a hypothetical world if i worked for an online marketing company and needed to test something like a web browser addon, I would just use a VM and accept the overhead :slight_smile:

meh.

or maybe…;
[user@user dir]# firejail virtualbox-ose some_os_vdi ? luls

Anyway, I think QuebesOS is well-suited for those who want to sandbox everything :slight_smile:

Thanks all.
The objective was to configure a sandbox on the fly for whatever application, just to avoid QubeOS, between HW incompatibility and other instability concerns is not something I can use on daily basis…

I found also this Sandboxing - Fedora Project Wiki
Withotu copy ans paste it may be a challenge, the example is with FIrefox but I think it may work with anyapplication.

No one found a better solution?