[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] sandboxing icecat
From: |
Mike Gerwitz |
Subject: |
Re: [Bug-gnuzilla] sandboxing icecat |
Date: |
Tue, 09 Oct 2018 13:17:45 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
(CC'd Ludo and quoted message in full)
On Tue, Oct 09, 2018 at 10:51:09 -0400, Ian Kelling wrote:
> rms asked me about sandboxing icecat.
>
> I recommended some documentation like this:
> "We recommend that you use a sandbox package with Icecat. Which one
> depends on what package you already use and what is supported with your
> version of Icecat on your distro. For the upstream Icecat, a recent
> version of Firejail is probably the easiest to setup. For Icecat
> distributed in a distro, apparmor or selinux are probably easiest."
>
> But he suggested that most people wouldn't do anything because it's
> difficult and vague, and that it should be setup to work out of the box.
We've had discussions in Guix about automatically wrapping programs like
IceCat in a container:
https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html
(Sorry, Ludo, I haven't forgotten about your script! I plan to try it
soon since I need to update my container package for IceCat 60 anyway.)
> I'm thinking some distros do have it sandboxed out of the box, maybe
> fedora and ubuntu?
We should probably define "sandbox", since it can mean a number of
things. For me, I don't want my web browser to have access to any part
of my system that I haven't explicitly given it permission to access;
Debian and Ubuntu certainly don't do that type of sandboxing (because I
can use `file://' to any part of the system), but they _do_ include
apparmor profiles for Firefox.
With my Guix configuration, I run IceCat from within a container and,
consequently, it is rather well isolated.
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
signature.asc
Description: PGP signature