Linux sandboxing with bubblewrap
AppArmor is a good way to sandbox programs on a Linux system, but it has some limitations. In particular, it requires you to define a static profile for each program, and changing profiles requires root access. This can be impractical for ad-hoc usages, and in particular if you want to give the program access to a particular directory (such as the current directory). These gaps can be filled with bubblewrap.
read more