Walsh: Introducing the SELinux Sandbox

I've got apparmor-utils 2.3+1289-0ubuntu14 but it doesn't seem to be there.

But the really important thing is to have a suitable sandbox policy installed by default so that applications can use it automatically, without having to get root access first to install the policy. This would probably remove the need for plash to be setuid root too.

One of the things I'd like to use it for would be sandboxing archive extraction. In Zero Install, we unpack downloaded archives and then check the contents against a digest, so it would be really useful to sandbox the extraction process to guard against malicious packages trying to exploit flaws in tar, etc.