It appears that this does the things I am looking for - however, I am suspicious - why do we need a new project like this rather than a simple recipe for the existing jail or chroot system calls ?
What is it that makes something like firejail necessary ?
I've run it only once, and I don't really know, but I was under the impression it just took care of setting up bpf syscall filters and namespaces to provide least privilege - which, given neither X not e.g. Firefox was designed to be sandbox, is more complicated than one would expect.
It appears that this does the things I am looking for - however, I am suspicious - why do we need a new project like this rather than a simple recipe for the existing jail or chroot system calls ?
What is it that makes something like firejail necessary ?