Re: [Bug-gnuzilla] sandboxing icecat

[Mike Gerwitz]

(CC'd Ludo and quoted message in full)

On Tue, Oct 09, 2018 at 10:51:09 -0400, Ian Kelling wrote:
> rms asked me about sandboxing icecat.
>
> I recommended some documentation like this:
> "We recommend that you use a sandbox package with Icecat. Which one
> depends on what package you already use and what is supported with your
> version of Icecat on your distro. For the upstream Icecat, a recent
> version of Firejail is probably the easiest to setup. For Icecat
> distributed in a distro, apparmor or selinux are probably easiest."
>
> But he suggested that most people wouldn't do anything because it's
> difficult and vague, and that it should be setup to work out of the box.

We've had discussions in Guix about automatically wrapping programs like
IceCat in a container:

  https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html

(Sorry, Ludo, I haven't forgotten about your script!  I plan to try it
soon since I need to update my container package for IceCat 60 anyway.)

> I'm thinking some distros do have it sandboxed out of the box, maybe
> fedora and ubuntu?

We should probably define "sandbox", since it can mean a number of
things.  For me, I don't want my web browser to have access to any part
of my system that I haven't explicitly given it permission to access;
Debian and Ubuntu certainly don't do that type of sandboxing (because I
can use `file://' to any part of the system), but they _do_ include
apparmor profiles for Firefox.

With my Guix configuration, I run IceCat from within a container and,
consequently, it is rather well isolated.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

signature.asc
Description: PGP signature