a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. - github

• Firefox Sandboxing Guide
  • Not all sandboxes are equal. For example: Firejail does not allow to write outside Downloads. Sandbox does not prevent such writing. - SO
• Limit the memory size used by the jailed process #593 - ulimit + firejail or firejail --cgroups
  • ulimit vs cgroup - the mechanisms are generally not redundant: - cgroup sets limits per groups of processes
    • setrlimit sets limits per user or per process (ulimit is a wrapper arrount setrlimit)
• Limit memory usage for a single Linux process

see also

• systemd-run --scope --user -p MemoryLimit=1G vivaldi-stable - and What is a systemd scope for?
• How do I check cgroup v2 is installed on my machine? - grep cgroup /proc/filesystems
• How To Sandbox Processes With Systemd On Ubuntu 20.04