> Instead, I would prefer all applications were sandboxed to their own little respective areas with minimal access to data unless explicitly authorized.
You’ll be interested to learn about systemd-nspawn. You can sandbox stuff with it really easily. It is like chroot so not really resource intensive, lighter than a container.
I think a pretty useful thing you can do is boot ephemeral instances. So whatever someone does there gets undone. Useful if you’re doing system testing or CI. Because you just set up the machine once and then your scripts and whatever can do what you want. Perfect example is when trying to test install scripts.
Though this is also kinda the point of flatpak and snap. Though these are controversial in the Linux community. Then again a lot it people dislike systemd, though fewer than originally.
The nspawn does look interesting, and potentially exactly what I want. Although, this wiki page is dense enough that I am concerned I am going to somehow misconfigure it and be less secure than I would be without using it.
I Flatpak wherever I can, but several of my required applications are not first-party packaged, which makes me extra squeamish about installing them.
I read a good chunk of that wiki link, but didn't really come away with an understanding of how it differs from just using Docker for sandboxing an app.
It differs by not being insane. Trivial functionality that actually works. It's what's good about systemd.
It doesn't require forwarding sockets or giving free access to root just for building images. It doesn't explode just because you touch your nftables rules. It doesn't suddenly expose a process to the Internet because of some undocumented option. You can use all the normal tools such as auditd and SELinux without having your configuration overwritten by a madman.
You’re missing the trees for the forest. At a high level they are the same, just as with LXC or podman or others. But it’s the details which are really important. Because your leveraging the system you can really shrink down the size, another user mentioned. But there’s also a convenience in just being able to use systemd when its already built into your system.
I suggest also reading
man systemd-nspawn
Just type it into your terminal, you don’t need to install anything
I think a pretty useful thing you can do is boot ephemeral instances. So whatever someone does there gets undone. Useful if you’re doing system testing or CI. Because you just set up the machine once and then your scripts and whatever can do what you want. Perfect example is when trying to test install scripts.
Though this is also kinda the point of flatpak and snap. Though these are controversial in the Linux community. Then again a lot it people dislike systemd, though fewer than originally.
https://wiki.archlinux.org/title/Systemd-nspawn