Are Yunohost apps sandboxed?

Recently found out about YH and was wondering if it was possible to sandbox each app separately (or if they are sandboxed by default).

In case they are sandboxed, is it possible to move an app and its data between physical servers?

Thanks in advance

Apps are not sandboxed as in containerized. We use the base tools given to us by Debian: user/group ownerships, ACLs, systemd protection flags, etc.

Containerized or not, it is still possible to move an app between physical servers by backing them up and restoring them elsewhere.


Debian 12 had introduced Apparmor 3 by default in the install. Apparmor profiles can be tweaked to restrict application capabilities. It’s quite effective but time-consuming as too many restrictions can prevent applications from working… I wonder how this will be implemented in Yunohost.


I’m not sure this would be anything really new compared to what we already do with systemd tweaking (which also includes “capabilities”, dunno if that refers to the same thing)


Can you tell more about this?

I think this is what Aleks is referring to :

1 Like