In Debian there is no such thing as stackable wrappers.
A wrapper in this context is defined as a minimal script that automatically prepends something in front of a program that the user wants to run.
Here are some examples of commands to prepend:
* firejail firefox
* torsocks gpg
* LD_PRELOAD="$LD_PRELOAD":libeatmydata.so rsync
* bindp, timeprivacy and probably a lot more
* probably quite some dpkg diversions used for that purpose
One can have one wrapper using dpkg-diversions / symlinks but it's getting harder to stack these wrappers. Specifically harder if these wrappers are supposed to be installed by different packages.
* dpkg diversions / symlinks:
** one can only have one dpkg diversion per command
** when using a dpkg-diversion for lets say curl to prepend torsocks then one can no longer use 'killall curl' but must use 'killall curl.dpkg-diversion-extension'
** these can break various things such as AppArmor profiles
** other weird things can happen, for example
*** '~/.local/share/Ricochet/ricochet/ricochet.json' becomes
* '.desktop' files
** '.desktop' files aren't a solution, since these do not work for applications started from a terminal emulator or virtual terminal.
** Not allowed for packages.
* amend PATH
real world example:
* We at Whonix would like to prepend both, torssocks (for stream isolation) as well as firejail (as containment), in front of gpg
* improve draft
* read https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822693
* send to debian-devel mailing list