11 Dec
2009
11 Dec
'09
12:02 a.m.
Pierre Schmitz schrieb:
PS: I think I got the sandbox feature working. So don't be afraid of the suid binary. That is needed to chroot each browser tab. (otherwise you'll need selinux or seccomp; the latter didn't really work for me)
If you just want chroot, "setcap cap_sys_chroot +ep /usr/bin/whatever" is sufficient. Setuid on a browser is the worst idea I ever heard - especially for a feature that is supposed to provide extra security.