On 07/19/2016 07:03 PM, Carsten Mattner via arch-general wrote:
This is a nice and useful project, but I think we could be served better in the short term by having supported firejail profiles for things like Firefox and LibreOffice that are easy to use.
Firejail is a different design with less filesystem isolation. We should have both, even in the long term. The more direct competitor to Firejail is Bubblewrap, not Flatpak/pacpak.
That said, the documentation on Firejail on the wiki seems to contain the most important things. I’m not knowledgable enough about Firejail though. Network namespaces are missing in the wiki instructions. I don’t know if Firejail can restrict D-Bus access. In the past I could launch an unrestricted Nautilus from a Firejail’d Icecat, but apparently that no longer works. I don’t know enough about the advantages/disadvantages over Bubblewrap; apparently there is some disagreement about the scope, e.g. whether how Pulseaudio should be dealt with.
Regards, Florian Pelz