(CC'd Ludo and quoted message in full) On Tue, Oct 09, 2018 at 10:51:09 -0400, Ian Kelling wrote: > rms asked me about sandboxing icecat. > > I recommended some documentation like this: > "We recommend that you use a sandbox package with Icecat. Which one > depends on what package you already use and what is supported with your > version of Icecat on your distro. For the upstream Icecat, a recent > version of Firejail is probably the easiest to setup. For Icecat > distributed in a distro, apparmor or selinux are probably easiest." > > But he suggested that most people wouldn't do anything because it's > difficult and vague, and that it should be setup to work out of the box.
We've had discussions in Guix about automatically wrapping programs like IceCat in a container: https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html (Sorry, Ludo, I haven't forgotten about your script! I plan to try it soon since I need to update my container package for IceCat 60 anyway.) > I'm thinking some distros do have it sandboxed out of the box, maybe > fedora and ubuntu? We should probably define "sandbox", since it can mean a number of things. For me, I don't want my web browser to have access to any part of my system that I haven't explicitly given it permission to access; Debian and Ubuntu certainly don't do that type of sandboxing (because I can use `file://' to any part of the system), but they _do_ include apparmor profiles for Firefox. With my Guix configuration, I run IceCat from within a container and, consequently, it is rather well isolated. -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com
signature.asc
Description: PGP signature
-- http://gnuzilla.gnu.org
