On Sun, Nov 29, 2015 at 01:15:24PM +0100, Lampshade wrote:
> Is it possible, in theory, to use pledge(2) to make something similar to 
> firejail?
> https://packages.debian.org/sid/main/firejail
> Firejail is a Gnu/Linux's program which executes Firefox as it's descendant
> with reduced privilages.
> For example I would like to restrict Firefox to not write and read to 
> directory
> outside /home/firefox directory. Let's assume that I run firefox as another 
> user than
> my normal account. I would restrict, using traditional Unix privilages, 
> Firefox
> and all its descendants, logging as another user to regain privilages to
> for example to /home/open. I imagine that would still leave huge attack vector
> to pown system and/or sniff password, but I think it is better than nothing.

Firefox is a huge app. IMO you should ask upstream for a feature to be
able to define r/o and r/w paths which Firefox could use. Then OS specific
sandboxing-like features could implement enforcing such policy.


Reply via email to