After exploring flatpak as a source for desktop apps for a while, I would like to use its optional sandboxing features to isolate some of my applications.
The sandboxing feature of flatpak has often been criticized in the past for its lose default permissions:
As was also pointed as a response, in theory applications like flatseal could be used to create a secure environment that does not allow trivial sandbox escape.
However, the question remains what does it take to get there?
After reading through the documentation as well as through all the criticism, I have learned of several new ways of how Linux applications can escape restrictions, but I doubt I am aware about all the pitfalls of building an effective sandbox yet.
Basically I am looking for a comprehensive guide to build sandboxed process environments on Linux that cover all the issues that need to be considered to avoid sandbox escape or otherwise overlooked permissions.
