the faq mentions a sandbox in pureos. can you elaborate on that?
does pureos use wayland yet? does the browser work with wayland?
ive been using firejail +xpra and +xephyr when xpra got buggy. now waiting on fedora 25 to use firejail with wayland. if pureos is also going this direction, id like to try it.
Yes, the plan is to move to Wayland (I am testing it on Librem13 for few months already and works quite well). We also discussed a bit firejail which we will take into consideration once we have more time to invest into it (which should rather be soon(ish)).
We are also considering usage of Flatpaks (at least for some software such as end-user ones that don’t get updated in Debian regularly or when we want to diverge) which has also sandbox capabilities (notice that Wayland enables sandbox capabilities per se).
One distro to watch out their work (they still need to put all sources out) is Subgraph with its Oz layers.
An additional, as interesting read, would also be http://0pointer.net/blog/revisiting-how-we-put-together-linux-systems.html
If your looking at firejail and flatpaks, you should also look at appimage, which firejail has support for. by combining this with firejails --private-home flag, you can have not-quite-trusted apps and persistent data.
just from looking at flatpak, its looks pretty nice, but i cant see a way to manage which folders in your home a flatpak can be allowed to write to. portals could probably solve that.
i currently use firejail with --private-home on all the big, scary gui apps. for some things, like gimp and blender, they can share that private home. its also easy to have multiple private homes for multiple browser instances that are unaware of each other. for example, personal, work, and misc browsers running at the same time. maybe flatpak can do this too.
either way, it would be great if you tracked firejail in the repos and disable abstract sockets in the x server. since your aware of firejail, your probably already aware of this, but just in case,
the xorg option is ‘-nolisten local’ so the end result should be the x server only listening to the unix socket (man Xserver). it allows ‘firejail --x11=block’ to actually block x11 from those apps, but wont interfere in any other use of x11.
since puros is down, on ubuntu its set in /usr/share/lightdm/lightdm.conf.d/50-xserver-command.conf
im sure the only reason these abstract sockets are enabled is because thats the xorg default.
also, for sandboxing legacy x11 apps, xpra is great when it works, so a stable track of xpra would be nice too. hopefully, pureos wont need it if everything supports wayland. i dont know if xpra can be stable, but falling back on xephyrs been kinda a pain.