Discussion:
[Bug-gnuzilla] sandboxing icecat
Ian Kelling
2018-10-09 14:51:09 UTC
Permalink
rms asked me about sandboxing icecat.

I recommended some documentation like this:
"We recommend that you use a sandbox package with Icecat. Which one
depends on what package you already use and what is supported with your
version of Icecat on your distro. For the upstream Icecat, a recent
version of Firejail is probably the easiest to setup. For Icecat
distributed in a distro, apparmor or selinux are probably easiest."

But he suggested that most people wouldn't do anything because it's
difficult and vague, and that it should be setup to work out of the box.

I'm thinking some distros do have it sandboxed out of the box, maybe
fedora and ubuntu?
--
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org

--
http://gnuzilla.gnu.org
Mike Gerwitz
2018-10-09 17:17:45 UTC
Permalink
(CC'd Ludo and quoted message in full)
Post by Ian Kelling
rms asked me about sandboxing icecat.
"We recommend that you use a sandbox package with Icecat. Which one
depends on what package you already use and what is supported with your
version of Icecat on your distro. For the upstream Icecat, a recent
version of Firejail is probably the easiest to setup. For Icecat
distributed in a distro, apparmor or selinux are probably easiest."
But he suggested that most people wouldn't do anything because it's
difficult and vague, and that it should be setup to work out of the box.
We've had discussions in Guix about automatically wrapping programs like
IceCat in a container:

https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html

(Sorry, Ludo, I haven't forgotten about your script! I plan to try it
soon since I need to update my container package for IceCat 60 anyway.)
Post by Ian Kelling
I'm thinking some distros do have it sandboxed out of the box, maybe
fedora and ubuntu?
We should probably define "sandbox", since it can mean a number of
things. For me, I don't want my web browser to have access to any part
of my system that I haven't explicitly given it permission to access;
Debian and Ubuntu certainly don't do that type of sandboxing (because I
can use `file://' to any part of the system), but they _do_ include
apparmor profiles for Firefox.

With my Guix configuration, I run IceCat from within a container and,
consequently, it is rather well isolated.
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
Ian Kelling
2018-10-09 19:41:53 UTC
Permalink
Post by Mike Gerwitz
(CC'd Ludo and quoted message in full)
Post by Ian Kelling
rms asked me about sandboxing icecat.
"We recommend that you use a sandbox package with Icecat. Which one
depends on what package you already use and what is supported with your
version of Icecat on your distro. For the upstream Icecat, a recent
version of Firejail is probably the easiest to setup. For Icecat
distributed in a distro, apparmor or selinux are probably easiest."
But he suggested that most people wouldn't do anything because it's
difficult and vague, and that it should be setup to work out of the box.
We've had discussions in Guix about automatically wrapping programs like
https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html
(Sorry, Ludo, I haven't forgotten about your script! I plan to try it
soon since I need to update my container package for IceCat 60 anyway.)
Post by Ian Kelling
I'm thinking some distros do have it sandboxed out of the box, maybe
fedora and ubuntu?
We should probably define "sandbox", since it can mean a number of
things. For me, I don't want my web browser to have access to any part
of my system that I haven't explicitly given it permission to access;
Debian and Ubuntu certainly don't do that type of sandboxing (because I
can use `file://' to any part of the system), but they _do_ include
apparmor profiles for Firefox.
With my Guix configuration, I run IceCat from within a container and,
consequently, it is rather well isolated.
Nice.

Yes, I spoke to rms again, it seems we should generally encourage
distros to sandbox it rather than bothering users.

- Ian

--
http://gnuzilla.gnu.org

Loading...