Hacker News new | past | comments | ask | show | jobs | submit login

Indeed. This is one of the reasons I use the SELinux sandbox to run my browser: there are a lot of ways that a browser could become a vulnerability. I would like to think I would always remember not to copy/paste from a website into my terminal, but the truth is that I could easily forget -- if I were in a hurry, if I knew the guy who made the website (but did not stop to think that someone might have hacked into the server), etc. Unfortunately it is hard to advise that everyone do this; the sandbox is very restrictive and basically incompatible with how most people use their computers.



Ubuntu ships Firefox with an AppArmor profile, although it appears that it is disabled by default (presumably for the same reason you give).


Do you have any write-ups on how one would accomplish this SELinux sandbox for your browser? Thanks!


http://danwalsh.livejournal.com/31146.html

One very simple way to get a sandboxed browser is to run this command (my irony meter is going off the charts here):

sandbox -X -t sandbox_web_t firefox

However, that will prevent any persistence between sessions, so you probably want to do something more like this:

sandbox -X -H /path/to/some/directory -t sandbox_web_t firefox

My recommendation is that you read the man pages and experiment a bit.


my irony meter is going off the charts here

Nothing wrong with showing commands and examples to be used. It's the cut-and-paste aspect that's an issue.

My first action was to search through my package repos (Debian) to see if that sandbox command is known to my packaging system (it's not, hrm...).


About that, recently I started to watch some videos about SELinux, and I tought it could be a good idea to use it for isolating some likely-to-leak software (e.g. Skype).




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: