AppArmor is a good way to sandbox programs on a Linux system, but it has some limitations. In particular, it requires you to define a static profile for each program, and changing profiles requires root access. This can be impractical for ad-hoc usages, and in particular if you want to give the program access to a particular directory (such as the current directory). These gaps can be filled with bubblewrap.

If you have a Linux system with AppArmor, you can use it to sandbox IntelliJ IDEA. Do not install IntelliJ with snap, download the .tar.gz archive instead and unpack it in /opt/JetBrains/. Then add this file to /etc/apparmor.d. #include <tunables/global> profile idea /opt/JetBrains/idea*/bin/* { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> #include <abstractions/ssl_certs> #include <abstractions/gnome> #include <abstractions/xdg-open> #include <abstractions/dbus-session> /etc/** r, /dev/** r, /dev/ptmx rw, @{PROC}/ r, @{PROC}/** r, /sys/** r, /bin/* rixm, /usr/bin/{[^s]*,?