Re: Sandboxing

---

• From: Erik Trulsson <ertr1013@xxxxxxxxxxxxx>
• Date: Wed, 8 Nov 2006 15:23:06 +0100

---

On Wed, Nov 08, 2006 at 09:08:02AM -0500, Lowell Gilbert wrote:

"mal content" <artifact.one@xxxxxxxxxxxxxx> writes:

On 08/11/06, mal content <artifact.one@xxxxxxxxxxxxxx> wrote:

Hi.

This is mostly hypothetical, just because I want to see how knowledgeable
people would go about achieving it:

I want to sandbox Mozilla Firefox. For the sake of example, I'm running it
under my own user account. The idea is that it should be allowed to
connect to the X server, it should be allowed to write to ~/.mozilla and
/tmp.

I expect some configurations would want access to audio devices in
/dev, but for simplicity, that's ignored here.

All other filesystem access is denied.

Ready...

Go!

MC

I forgot to add: Use of TrustedBSD extensions is, of course, allowed.

Putting an X Windows application in a sandbox is kind of silly. After
all, X has to have direct access to memory.

The X *server* needs direct access to memory. X clients (like Firefox or
just about any other application using X) does not need direct access to
memory. They don't even need to run on the same machine as the X server.

A virtual machine
approach, with a whole virtual set of memory, might make more sense.
I use that (via qemu), although not for exactly the same reasons.

--
<Insert your favourite quote here.>
Erik Trulsson
ertr1013@xxxxxxxxxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: Sandboxing
    • From: mal content

• References:
  • Sandboxing
    • From: mal content
  • Re: Sandboxing
    • From: mal content
  • Re: Sandboxing
    • From: Lowell Gilbert

• Prev by Date: FreeBSD Security Advisory FreeBSD-SA-06:24.libarchive
• Next by Date: Re: FreeBSD Security Advisory FreeBSD-SA-06:24.libarchive
• Previous by thread: Re: Sandboxing
• Next by thread: Re: Sandboxing
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Web Proxy Client - Direct Access to internal web servers of remote subnets not working ... I believe that the direct access is correctly configured but that it is not ... Forgot to tell, on the ISA ... server I configured route's to the remote subnets. ... On the client I get ... (microsoft.public.isa.clients) Re: direct access to display memory ... DirectX allows direct access to video memory. ... "Masoud Rozati" wrote in message ... >I need a quick and efficient way of accessing display memory. ... (microsoft.public.win32.programmer.gdi) Re: OWA Security W2K server ... I have a user who reports, when she tries to log on to OWA from home, she ... get direct access to, a random, other users mail box. ... I found an MS security bulletin, Microsoft Security Bulletin MS04-002, ... The server is SP4 and fully up to date. ... (microsoft.public.exchange2000.general) Re: asp changes do not show on clustered IIS 5.0 ... I've had this problem as well, luckily you have direct access to the server where I did not. ... then I do a Save As and save the file as the same name refresh the browser and see if that works. ... All of the asp pages are ... (microsoft.public.inetserver.asp.general) Re: [opensuse] Re: Creating a swap file ... than the full-size "word" of most architectures of the time. ... That's not direct access to a bit, ... would compare directly to a certain bit in a byte in memory. ... Of course, now that memory is nearly infinite for nearly zero cost, ... (SuSE)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2006-11