What's the best way to sandbox an X application like firefox or thunderbird in ubuntu (going into the direction of what qubes os does, but only for single applications)?
I know there are many different sandboxing technologies. For example
Just using a virtual-box: This seems to be very secure but a resource overkill. You would need a minimal OS in VirtualBox just to run firefox.
Using the SE-Linux sandbox technology. This seems to be the best option but as far as I know SElinux is available in ubuntu but not very well configured by default (in contrast for example to RedHat-linux). Furthermore the sandbox part of SELinux seems to be missing: https://unix.stackexchange.com/questions/67127/how-do-i-install-selinuxs-sandbox-utility-on-linux-mint-debian-edition?lq=1 so one would have to compile it.
The apparmor equivalent seems not to be production ready and is currently not shipped with ubuntu as far as I know. However I cannot estimate what's the state of development and if it would be worth to wait for the next ubuntu release where it will probably part of it.
The gnome desktop seems to support X-sandboxing. It is not clear to me if one can use this in a wm-independent way.
The lightweigt tool mbox seems to operate only on filesystem level, which would be not sufficient for X-applications.
The same is true for self made chroot solutions as for example the sandfox-script.
A more lightweigt and secure option than chroot seems to be Plash. But I am not sure how well the X protection is implemented.
There is also a program called arkose which seems to be well supported for ubuntu, but at the same time there is very little documentation of how it works and I have no idea how secure it is compared to other approaches.
Docker seems to be made more for server applications than for desktop ones. I don't see if it is secure for X applications. There is a newer project called kagome which seems to combine Docker with xephyr for X isolation. But the author notes that docker has some security flaws and it might be better to switch to another container solution such as systemd-nspawn, rkt or lxd.
Other solutions are: seccomp-nurse, Rainbow, vagrantup
Finally especially for firefox there is an apparmor profile for ubuntu but which is not enabled by default. This is not a sandbox but should give you some level of security when using firefox (but I don't know how it compares to the sandbox solutions above).
So there seems to be many approaches but I don't how (and why) those compare in terms of security for sandboxing X-applications like firefox or thunderbird, in terms of usability, especially in ubuntu-linux and which are production ready and well supported. Would be gread it someone could give some details about this, how to categorize them and which of them would be worth for me to have a closer look at for my purpose.