[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnuzilla] sandboxing icecat

From: Mike Gerwitz
Subject: Re: [Bug-gnuzilla] sandboxing icecat
Date: Tue, 09 Oct 2018 13:17:45 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

(CC'd Ludo and quoted message in full)

On Tue, Oct 09, 2018 at 10:51:09 -0400, Ian Kelling wrote:
> rms asked me about sandboxing icecat.
> I recommended some documentation like this:
> "We recommend that you use a sandbox package with Icecat. Which one
> depends on what package you already use and what is supported with your
> version of Icecat on your distro. For the upstream Icecat, a recent
> version of Firejail is probably the easiest to setup. For Icecat
> distributed in a distro, apparmor or selinux are probably easiest."
> But he suggested that most people wouldn't do anything because it's
> difficult and vague, and that it should be setup to work out of the box.

We've had discussions in Guix about automatically wrapping programs like
IceCat in a container:


(Sorry, Ludo, I haven't forgotten about your script!  I plan to try it
soon since I need to update my container package for IceCat 60 anyway.)

> I'm thinking some distros do have it sandboxed out of the box, maybe
> fedora and ubuntu?

We should probably define "sandbox", since it can mean a number of
things.  For me, I don't want my web browser to have access to any part
of my system that I haven't explicitly given it permission to access;
Debian and Ubuntu certainly don't do that type of sandboxing (because I
can use `file://' to any part of the system), but they _do_ include
apparmor profiles for Firefox.

With my Guix configuration, I run IceCat from within a container and,
consequently, it is rather well isolated.

Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]