I read there is something called firejail that does this, but according to the reviews on software manager, some have had it destroy their system or mess up their programs, so i dont want to risk that.

There was also something called bubblewrap, but it has no reviews at all.

How big risk does the firejail have and are there any other programs that are good or better for this? I already managed to mess up my system once (blackscreen after login. I think installing portmaster caused it or installing and uninstalling some software + its dependencies), but fortunately i had backup of the system so i could reverse the damage, so i’m a bit more cautious now.

Also, are there any other concerns that one should know about regarding sandboxing?

  • tal@lemmy.todayEnglish
    3·
    6 hours ago

    [continued from parent]

    Here’s an example firejail profile that I use with renpy on Wayland, for example, which is a software package that runs [visual novels](https:. Note that this won’t run everything, especially since one is using a different version of renpy than a game ships with, but generally, with this in place, one can just go to a renpy game’s directory and type firejail renpy . and it’ll run. This doesn’t isolate RenPy games against each other, but it does keep them from mucking with the rest of the system:

    renpy firejail profile 
    # whitelist profile for RenPy (game)
noblacklist ${HOME}/.renpy

include disable-common.inc
include disable-programs.inc
include disable-devel.inc

caps.drop all
net none
nogroups
nonewprivs
noroot
seccomp

tracelog

private-dev
private-tmp

mkdir     ~/.renpy
whitelist ~/.renpy

# All Renpy games need to be stored under here.
whitelist ${HOME}/m/restricted-game/
read-only ${HOME}/m/restricted-game/
read-write ${HOME}/m/restricted-game/renpy

nodvd
notv
nou2f
seccomp.block-secondary

    More of a tool for letting one run that non-packaged software in isolation…but one needs to generally set up the profiles oneself. For example, that profile blocks network access to renpy games…but there are games that will fail if they can’t access the network (though you could say that this is desirable, if you don’t want those games phoning home).