Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Erik Trulsson (ertr1013student.uu.se)
Date: Wed Nov 08 2006 - 08:23:06 CST
On Wed, Nov 08, 2006 at 09:08:02AM -0500, Lowell Gilbert wrote:
> "mal content" <artifact.onegooglemail.com> writes:
> > On 08/11/06, mal content <artifact.onegooglemail.com> wrote:
> >> Hi.
> >> This is mostly hypothetical, just because I want to see how knowledgeable
> >> people would go about achieving it:
> >> I want to sandbox Mozilla Firefox. For the sake of example, I'm running it
> >> under my own user account. The idea is that it should be allowed to
> >> connect to the X server, it should be allowed to write to ~/.mozilla and
> >> /tmp.
> >> I expect some configurations would want access to audio devices in
> >> /dev, but for simplicity, that's ignored here.
> >> All other filesystem access is denied.
> >> Ready...
> >> Go!
> >> MC
> > I forgot to add: Use of TrustedBSD extensions is, of course, allowed.
> Putting an X Windows application in a sandbox is kind of silly. After
> all, X has to have direct access to memory.
The X *server* needs direct access to memory. X clients (like Firefox or
just about any other application using X) does not need direct access to
memory. They don't even need to run on the same machine as the X server.
> A virtual machine
> approach, with a whole virtual set of memory, might make more sense.
> I use that (via qemu), although not for exactly the same reasons.
<Insert your favourite quote here.>
freebsd-securityfreebsd.org mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"