[arch-general] sandboxing
Shridhar Daithankar
ghodechhap at ghodechhap.net
Sun Feb 5 10:57:39 UTC 2017
On Saturday 4 February 2017 11:00:12 PM IST Leonid Isaev wrote:
> > Exactly. If I am running chromium with firejail, which whitelists what
> > chromium can do to the file system(even better with --private); the
> > browser
> > cannot tamper with .profile/.bash_profile or .ssh.
>
> See, this is the problem: Why would a browser need these files? File access
> should only be possible with user interaction (via a file-open dialog).
Ideally, it doesn't. But programs have bugs and its nice to restrict them if
those happens.
Chromium just just an example. Here is something firejail(again an example
sandbox) would prevent.
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
--
Regards
Shridhar
More information about the arch-general
mailing list