So Fedora 12 has a convenient sandbox for running Firefox and other apps. Chrome runs sandboxed. And Windows 7 can even run IE sandboxed (allegedly). But in trying to find an easy, ready-to-go sandbox for Ubuntu and Arch I didn't find anything. Given Firefox's use of the exploit-ridden Flash, Java, and third-party plugins, I think this is an important ability.

For those who aren't familiar, a sandbox is a way of running an app in a way that limits its access to the system resources. For example, Firefox running in a sandbox would only be able to access a limited subset of the filesystem - only the folders you include in the sandbox. This way any processes Firefox uses, such as Java, Flash, and plugins, are also limited.

There are full (over-)blown solutions for this, such as AppArmor, SELinux (which is how Fedora apparently accomplishes it), and others. But none ready to go with no configuration. (Plus, I personally don't put a lot of trust in Novell or SELinux.) And I trust Google with my private data as much as I trust Microsoft, so Chrome is nothing I want anything to do with. The lack of options led me to develop Sandfox, which is designed to be easy to use and also flexible.

In the easy department, you can install Sandfox and have Firefox running in a sandbox with one command:
sudo sandfox firefox
In the flexible department, any app can be run sandboxed, either sharing a single sandbox or one for each program, based on profiles you can create.

Sandbox is written in pure bash and uses only core Linux commands to create a chroot jail for Firefox. I wrote this primarily for my own use (and I'm writing this post from a sandboxed Firefox) but I'm sharing it because I think it fills a niche for a ready-to-go app sandbox. I'll let you review the website for the additional details. If you have any questions feel free to ask.

sandfox --help

Usage: sandfox [OPTIONS] [COMMAND [ARG]...]
Runs COMMAND as a normal user within a chroot jail sandbox with limited
access to the filesystem.  Supports profiles for apps and includes a default
Firefox profile. Must be run as root when creating sandbox.  Examples:
 sudo sandfox firefox                    # Runs Firefox in a sandbox
 sudo sandfox bash                       # Shell to explore a sandbox
--bindro TARGET           Include TARGET (a file or folder) in the sandbox
                            bind-mounting it as a read-only filesystem
--bind TARGET             Include TARGET (a file or folder) in the sandbox
                            with same ownership and permissions when possible
--copy TARGET             Place a disposable copy of TARGET (a file or folder)
                            in the sandbox
--hide TARGET             Include TARGET (a file or folder) in the sandbox
                            by bind-mounting an empty file or folder onto it
                            Effectively hides the real TARGET from the sandbox
                            Also provides a writable dummy folder
--profile PROFILE         Load PROFILE (a profile name or pathname).  By
                            default profiles are stored in /etc/sandfox
--make                    Force creation or update of a sandbox (make is
                            implied if you specify binds or profiles)
--sandbox NAME            Specify name of sandbox to use, create, or update
--close NAME              Unmount and remove sandbox NAME
--closeall                Unmount and remove ALL sandboxes
--status                  Show the status of all current sandboxes
--shell                   Run COMMAND in a shell and wait.  Requires root.
                            (bash is always run in a shell)
--user USERNAME           Run command as USER in the sandbox - useful if
                            auto-detection does not work or to override
--profilefolder FOLDER    Use FOLDER instead of the default profile folder
                            IMPORTANT: should be root owned & write-protected
--logfile LOGFILE         Also append messages to LOGFILE.  sandfox daemons
                            will also update this file provided it is
                            accessible from within the sandbox.
--verbose                 Provide detailed feedback
--quiet                   Minimize output messages
NOTES: OPTIONS must precede COMMAND; you can also use OPTION=VALUE; binds are
processed in this order: bindro bind copy hide; missing binds are ignored; if
a profile for COMMAND exists it will be automatically loaded; default profile
is always loaded; profiles may contain any options valid on the command line;
if COMMAND is omitted, a sandbox will be created for use.