I install Joplin-desktop with snap command on ubuntu 22.04.2.
Joplin starts with the -- no-sandbox parameter. Is there any way to restrict Joplin to run in the sandbox?
All strict Electron snaps are like this; they run in the snapd sandbox instead. The reason being that the internal browser sandbox requires a (relative to normal snaps) high privilege and is itself considered dangerous.
You'll still have namespaces, syscall filtering, mandatory access control and cgroups; they're just managed by snapd instead.
If you were to remove the parameter, you'll find the app doesn't launch because it lacks the necessary privilege to sandbox itself, being already sandboxed.
3 Likes