Presentation: Apps sandboxing in systemd
This talk will explain how it is easy to confine apps and objects using systemd sandbox features. Many projects are taking advantage of Linux features to construct robust sandboxes, the most advanced one is probably Chrome sandbox, a layered approach that proved to be robust and flexible. On top of the Chrome sandbox there is an IPC mechanism and a broker that allows an effective multi-process architecture where renderers are confined. The fact that systemd speaks D-Bus and is the first to support all modern Linux features including CGroup v2 API makes it suitable to construct such sandboxes. Other projects may take advantage of systemd scopes and all these user friendly features to have native sandbox support, thus making them a first class citizen. With namespaces and simple expressive seccomp filters, projects may even in the future match some FreeBSD Capsicum functionality.