Also consider Bubblewrap, which is what Flatpak uses under the hood. There are a couple of meaningful differences which may or may not be important to you: <a href="https://github.com/containers/bubblewrap#related-project-comparison-firejail" rel="nofollow">https://github.com/containers/bubblewrap#related-project-com...</a><p>Personally, I like that Bubblewrap doesn't require the same level of privileging, and I like the consistency with Flatpak. It feels like an unnecessary increase in attack surface to be running completely separate sandboxing tools. But, there are also advantages to Firejail, I'm not saying you shouldn't use it.<p>Reminder that unless you're doing complicated things with X sessions, Wayland is an important part of sandboxing and you should probably assume that any graphical malware will be able to break out of a sandbox on an X system (not because it's <i>impossible</i> to sandbox X, just that if you're dabbling in this stuff you're probably not sandboxing it correctly). Honestly, you should probably use something more robust than either of these programs if you're worried about malware. I just think it's easier and safer to use a VM and importantly I think you're less likely to shoot yourself in the foot using a VM (although it is still possible for malware to escape VMs depending on how they're configured). I'm not a security expert, take that advice with many grains of salt.<p>----<p>A lot of these programs (in my opinion) lack really good documentation about how to work with them. You kind of need to know the basics of how they work before you start. I think if anyone ever wanted to create a really detailed guide about what the different options are, what the considerations are, stuff like that, there's a lot of opportunity there to single-handedly drastically improve the accessibility of these tools. Most guides I have seen assume you know already know how the underlying permissions, process isolation, network stuff all works -- even some of the better guides on Arch (<a href="https://wiki.archlinux.org/title/Firejail" rel="nofollow">https://wiki.archlinux.org/title/Firejail</a>, <a href="https://wiki.archlinux.org/title/bubblewrap" rel="nofollow">https://wiki.archlinux.org/title/bubblewrap</a>) are just not accessible unless you're willing to go down those rabbit holes and figure out all of the terminology being used.<p>It's not that the documentation doesn't exist, and once you understand how the command line options work they're kind of nice, but all of the documentation is kind of spread around and hard to find and there's a lot of pulling up manpages and looking up words that get dropped with no context -- if you happen to know Linux security even just reasonably well and you're ever looking around for an unmet need or niche that's possible for one person to solve on their own, then this is the kind of problem that could be fixed with like one in-depth blogpost series.<p>There's just a real need for more tutorials about this stuff that can be shared with people who want to do manual configuration or command line usage, but that don't necessarily have the background required to just jump into the Arch docs. I've thought about trying to make one, but I am very nervous about giving people bad advice since I'm mostly self-taught on a lot of the security stuff.<p>I haven't checked back though since I started using Bubblewrap, so also maybe I'm out of date and there's more documentation today.