On Sun, Nov 29, 2015 at 01:15:24PM +0100, Lampshade wrote: > Is it possible, in theory, to use pledge(2) to make something similar to > firejail? > https://packages.debian.org/sid/main/firejail > Firejail is a Gnu/Linux's program which executes Firefox as it's descendant > with reduced privilages. > For example I would like to restrict Firefox to not write and read to > directory > outside /home/firefox directory. Let's assume that I run firefox as another > user than > my normal account. I would restrict, using traditional Unix privilages, > Firefox > and all its descendants, logging as another user to regain privilages to > for example to /home/open. I imagine that would still leave huge attack vector > to pown system and/or sniff password, but I think it is better than nothing.
Firefox is a huge app. IMO you should ask upstream for a feature to be able to define r/o and r/w paths which Firefox could use. Then OS specific sandboxing-like features could implement enforcing such policy. j.
