Is Firefox a Good Thing?
Arthur Pemberton
pemboa at gmail.com
Fri Oct 13 19:54:14 UTC 2006
On 10/13/06, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On 10/13/06, Andy Green <andy at warmcat.com> wrote:
> [snip]
> > Shouldn't this cause a terrified reassessment of having Firefox in the
> > distro at all, given its unique position running as the user (under
> > whose credentials, typically, the entire value of the box resides),
> > making connections to random addresses and running poorly understood
> > local code according to what it finds there?
>
> Before I reinvent the wheel, can someone tell me if something like
> this is being done:
>
> For most user applications it would be possible to SELinux sandbox
> them very tightly (nothing more than file access to a few specific
> files/directories, no sockets to the local box except for printing,
> etc) were it not for one issue: File save / File load.
>
> As a result It would really make sense to convert the file save load
> into a separate process which can read/write anywhere the user has
> access and then communicate to the hosting app via stdin/out or other
> lightweight IPC. The file box app could be carefully audited so that
> we could be confident that it would only read and write things with
> the users consent.
>
> Most user apps could be tightly confined with only this one little
> tool.. gimp, gaim, xchat, etc.
>
> Is anyone already working on something like that?
>
You mean Firefox isn't under SELinux policies in strict mode?
--
Fedora Core 5 and proud
More information about the fedora-devel-list
mailing list