rusty-snake

You create a seccomp filter that only allows `read(2)` and `write(2)`. Every other syscall will trigger a userspace callback and block the calling thread indefinitely (ignoring signals and the like)....

Hi, just going through my github todo list. I've interest but unfortunately no time.

Ahh, thanks. Adding this info to the README would be good. Something like > This project is in maintenance mode, meaning only critical bugs will be fixed. Or want to...

Fedora, OpenSUSE, Ubuntu/Mint seem to have a `chromium-browser.desktop`. Some more distros like alpine have at least an additional `/usr/bin/chromium-browser` binary/symlink. See https://pkgs.org/search/?q=chromium. Given that, do you still prefer to patch...

RPM based distros and Linux Mint? While Linux Mint is build on top of Ubuntu, they don't use snaps. Upstream seem to use chromium-browser over chromium https://source.chromium.org/search?q=chromium-browser.desktop

Maybe `expanduser` (i.e. `~` -> `/home/user`) would be somethning some users expect too. It's always hard to explain that `$HOME` and `~` are shell things. And that they are different...

... making it less secure because firefox native sandbox can confine dangerous (web content, ...) processes to a bare minimum of system resources. --- The most (user faceing) programs work...

> The advantage of using the /proc/sys/user over the seccomp is that the exact namespace limit can be specified. :+1: > What about Steam? I think it uses namespaces for...

> For bubblejail it makes sense to restrict write permission outside the instance home and run directory. It can also be used for W^X in the filesystem.

> how is the block of home/.var/app done? Mount a `tmpfs` over it (bwrap: `--tmpfs $HOME/.var/app`). This also means you can only block files that exist. So either you create...