I didn't know about firejail up to now, but this small guide on how to use it to sandbox ffmpeg on Linux seems like useful advice:

Hrm. This needs to be extended to imagemagick (convert) and file, both being run by paperclip on any incoming image file...

No signs of paperclip actually running the firejail ffmpeg wrapper here. *sigh* Debug time...

I don't have the impression this can even work, but maybe I'm missing something important.
See comment to the issue that the author of that blog post created, at

@galaxis When people try to make the sandboxing argument with snaps, I tell them about about this wonderful combo called "apt" and "firejail." I don't care how easy snap is supposed to make things for developers, the user should always come first, which many forget that not all people choose #Linux for the programming but actual every day desktop use. Snaps, flatpacks, and AppImages are some of the most selfish package management formats Linux has come up with in a long time.

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!