Sandboxing Applications on Desktop Linux

Some sandboxing solutions for desktop Linux distributions do exist, however they are not as strict as those found in macOS or ChromeOS. Applications installed from the package manager (dnf, apt, etc.) typically have no sandboxing or confinement whatsoever. Below are a few projects that aim to solve this problem:


Flatpak aims to be a universal package manager for Linux. One of its main functions is to provide a universal package format which can be used in most Linux distributions. It provides some permission control. However, it is known that Flatpak sandboxing could be improved as particular Flatpaks often have greater permission than required. There does seem to be some agreement that this is the case.

You can restrict applications further by issuing Flatpak overrides. This can be done with the command-line or by using Flatseal. Some sample overrides are provided by rusty-snake.

We generally recommend revoking access to:

  • the Network (share=network) socket (internet access)
  • the PulseAudio socket (for both audio in and out), device=all (access to all devices including the camera)
  • org.freedesktop.secrets dbus (access to secrets stored on your keychain) for applications which do not need it

If an application works natively with Wayland (and not running through the XWayland compatibility layer), consider revoking its access to the X11 (socket=x11) and Inter-process communications (IPC) socket (share=ipc) as well.

We also recommend restricting broad filesystem permissions such as filesystem=home and filesystem=host which should be revoked and replaced with just the directories that the app needs to access. Some applications like VLC implement the Portals API, which allows a file manager to pass files to the Flatpak application (e.g. VLC) without specific filesystem access privileges. VLC is only able to access the specific file that you want to open, rather than requiring privileges to particular locations.

Hard-coded access to some kernel interfaces like /sys and /proc and weak seccomp filters unfortunately cannot be secured with Flatpak.


Firejail is another method of sandboxing. As it is a large setuid binary, it has a large attack surface which may assist in privilege escalation.

This post from a Whonix security researcher provides additional details on how Firejail can worsen the security of your device.

Mandatory Access Control

Mandatory access control systems require policy files in order to force constraints on the system.

The two main control systems are SELinux (used on Android and Fedora) and AppArmor.

Fedora includes SELinux preconfigured with some policies that will confine system daemons (background processes). We don’t recommend disabling SELinux.

openSUSE gives the choice of AppArmor or SELinux during the installation process. We recommend sticking to the default for each variant (AppArmor for Tumbleweed and SELinux for MicroOS). openSUSE’s SELinux policies are derived from Fedora.

Arch and Arch-based operating systems often do not come with a mandatory access control system and that must be configured manually for either AppArmor or SELinux.

Linux desktops don't usually include individual app confinement rules, unlike Android which sandboxes every application installed.

Making your own policies/profiles

You can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles, and seccomp blacklist to have better confinement of applications. This is an advanced and sometimes tedious task, so we won’t go into detail about how to do it here, but we do have a few projects that you could use as reference.

Securing Linux containers

If you’re running a server, you may have heard of Linux Containers, Docker, or Podman which refer to a kind of OS-level virtualization. Containers are more common in server and development environments where individual apps are built to operate independently.

Docker is one of the most common container solutions. It does not run a proper sandbox, and this means that there is a large kernel attack surface. The daemon controls everything and typically runs as root. If it crashes for some reason, all the containers will crash too. The gVisor runtime which implements an application level kernel can help limit the number of syscalls an application can make and can help isolate it from the host’s kernel.

Red Hat develops Podman and secures it with SELinux to isolate containers from each other. One of the notable differences between Docker and Podman is that Docker requires root while Podman can run with rootless containers that are also daemonless, meaning if one crashes they don’t all come down.

Another option is Kata containers, where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host.

The above container technologies can be useful if you want to run certain web app software on your local network, such as Vaultwarden or images provided by, to increase privacy by decreasing dependence on various web services. A guide on hardening Docker and OCI has been written by the author "Wonderfall."