Mike Gerwitz <[email protected]> writes:
> (CC'd Ludo and quoted message in full) > > On Tue, Oct 09, 2018 at 10:51:09 -0400, Ian Kelling wrote: >> rms asked me about sandboxing icecat. >> >> I recommended some documentation like this: >> "We recommend that you use a sandbox package with Icecat. Which one >> depends on what package you already use and what is supported with your >> version of Icecat on your distro. For the upstream Icecat, a recent >> version of Firejail is probably the easiest to setup. For Icecat >> distributed in a distro, apparmor or selinux are probably easiest." >> >> But he suggested that most people wouldn't do anything because it's >> difficult and vague, and that it should be setup to work out of the box. > > We've had discussions in Guix about automatically wrapping programs like > IceCat in a container: > > https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html > > (Sorry, Ludo, I haven't forgotten about your script! I plan to try it > soon since I need to update my container package for IceCat 60 anyway.) > >> I'm thinking some distros do have it sandboxed out of the box, maybe >> fedora and ubuntu? > > We should probably define "sandbox", since it can mean a number of > things. For me, I don't want my web browser to have access to any part > of my system that I haven't explicitly given it permission to access; > Debian and Ubuntu certainly don't do that type of sandboxing (because I > can use `file://' to any part of the system), but they _do_ include > apparmor profiles for Firefox. > > With my Guix configuration, I run IceCat from within a container and, > consequently, it is rather well isolated. Nice. Yes, I spoke to rms again, it seems we should generally encourage distros to sandbox it rather than bothering users. - Ian -- http://gnuzilla.gnu.org
