Last time, we discovered how to use bubblewrap to sandbox simple CLI applications. We will now try to sandbox desktop applications. Desktop applications want access to a lot of different resources: for example the Wayland (or X) server socket, sound server socket or D-Bus services. You could grant blanket access to all such resources for every application, but that increases the attack surface quite a lot. An alternative is to give access only to resources used by the application you’re try...| Posts on sloonz's blog