- creates an empty directory,
- fork the mount table for the new bash process and its children (requires privileges),
- unshare /home (required if / is mounted in shared mode [1]),
- hide /home by mount-binding the empty directory,
- start firefox in unprivilegied mode, without being able to access to user's files.
[1] https://www.kernel.org/doc/Documentation/filesystems/shareds...
- creates an empty directory,
- fork the mount table for the new bash process and its children (requires privileges),
- unshare /home (required if / is mounted in shared mode [1]),
- hide /home by mount-binding the empty directory,
- start firefox in unprivilegied mode, without being able to access to user's files.
[1] https://www.kernel.org/doc/Documentation/filesystems/shareds...