On Wed, Nov 08, 2006 at 09:08:02AM -0500, Lowell Gilbert wrote: > "mal content" <[EMAIL PROTECTED]> writes: > > > On 08/11/06, mal content <[EMAIL PROTECTED]> wrote: > >> Hi. > >> > >> This is mostly hypothetical, just because I want to see how knowledgeable > >> people would go about achieving it: > >> > >> I want to sandbox Mozilla Firefox. For the sake of example, I'm running it > >> under my own user account. The idea is that it should be allowed to > >> connect to the X server, it should be allowed to write to ~/.mozilla and > >> /tmp. > >> > >> I expect some configurations would want access to audio devices in > >> /dev, but for simplicity, that's ignored here. > >> > >> All other filesystem access is denied. > >> > >> Ready... > >> > >> Go! > >> > >> MC > >> > > > > I forgot to add: Use of TrustedBSD extensions is, of course, allowed. > > Putting an X Windows application in a sandbox is kind of silly. After > all, X has to have direct access to memory.
The X *server* needs direct access to memory. X clients (like Firefox or just about any other application using X) does not need direct access to memory. They don't even need to run on the same machine as the X server. > A virtual machine > approach, with a whole virtual set of memory, might make more sense. > I use that (via qemu), although not for exactly the same reasons. -- <Insert your favourite quote here.> Erik Trulsson [EMAIL PROTECTED] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
