AppArmor is a good way to sandbox programs on a Linux system, but it has some limitations. In particular, it requires you to define a static profile for each program, and changing profiles requires root access. This can be impractical for ad-hoc usages, and in particular if you want to give the program access to a particular directory (such as the current directory). These gaps can be filled with bubblewrap.

If you have a Linux system with AppArmor, you can use it to sandbox IntelliJ IDEA. Do not install IntelliJ with snap, download the .tar.gz archive instead and unpack it in /opt/JetBrains/. Then add this file to /etc/apparmor.d. #include <tunables/global> profile idea /opt/JetBrains/idea*/bin/* { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> #include <abstractions/ssl_certs> #include <abstractions/gnome> #include <abstractions/xdg-open> #include <abstractions/dbus-session> /etc/** r, /dev/** r, /dev/ptmx rw, @{PROC}/ r, @{PROC}/** r, /sys/** r, /bin/* rixm, /usr/bin/{[^s]*,?

If you have a Linux system with AppArmor, you can use it to secure your Go builds. First install Go in /usr/local/go as in the the instructions. Then add this file to /etc/apparmor.d, replace ${HOME} with your home directory. #include <tunables/global> profile go /usr/local/go/bin/go { #include <abstractions/base> #include <abstractions/consoles> /tmp/ r, /tmp/** rwkix, @{PROC}/** r, /sys/** r, /dev/** r, /etc/** r, /usr/** r, /bin/** ix, /usr/bin/** ix, /usr/libexec/** ix, /usr/lib/** ix, /usr/local/go/** rix, owner @{HOME}/.