There is apparmor(used by Snappy) that already allows you to lock down an process. In Ubuntu wiki they mention that there is some sort of Firefox profile, no idea if it is any use for daily driver though :)
AppArmor is great for incrementally sandboxing parts of your environment. I'm pretty sure the ubuntu repos contain a set of profiles for common applications like Firefox which you can choose to enable. It's very easy to write your own profiles too. Just save it into /etc/apparmor.d/ (I always make the name of my own custom profiles start with "local." so I don't mix them up with the repo-provided ones) and then run "sudo aa-complain FILENAME" to put the profile in non-enforcing complain mode. Watch syslog for a bit to make sure your profile isn't too restrictive, and then once you're sure the profile is good, switch it to enforce mode with aa-enforce. "sudo apparmor_status" tells you the current modes of all profiles.
Here's an apparmor profile I made to lock down the Skype linux client: https://gist.github.com/AgentME/5640268 . It works as a whitelist listing out exactly what Skype can access. I've got another profile for Steam (and all games that Steam starts up) which just blacklists a few directories (and lets me know if Steam or any games ever tries to access those).
Ugh, that's a good point. I don't think AppArmor does any restrictions on X11 use. (I think it supports some fine-tuned controls on dbus usage though, so the idea isn't completely out of scope.) I guess it's better to think of AppArmor like a tripwire than a full sandbox if you open up an app to X11.
Yes, if the tripwire raises an alarm instead of triggering a bomb. A bomb would stop the attacker by killing/injuring him, which is not the case here (he can just come back with X11 exploitation code).
