Re: [Bug-gnuzilla] sandboxing icecat

[Ian Kelling]

Mike Gerwitz <address@hidden> writes:

> (CC'd Ludo and quoted message in full)
>
> On Tue, Oct 09, 2018 at 10:51:09 -0400, Ian Kelling wrote:
>> rms asked me about sandboxing icecat.
>>
>> I recommended some documentation like this:
>> "We recommend that you use a sandbox package with Icecat. Which one
>> depends on what package you already use and what is supported with your
>> version of Icecat on your distro. For the upstream Icecat, a recent
>> version of Firejail is probably the easiest to setup. For Icecat
>> distributed in a distro, apparmor or selinux are probably easiest."
>>
>> But he suggested that most people wouldn't do anything because it's
>> difficult and vague, and that it should be setup to work out of the box.
>
> We've had discussions in Guix about automatically wrapping programs like
> IceCat in a container:
>
>   https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html
>
> (Sorry, Ludo, I haven't forgotten about your script!  I plan to try it
> soon since I need to update my container package for IceCat 60 anyway.)
>
>> I'm thinking some distros do have it sandboxed out of the box, maybe
>> fedora and ubuntu?
>
> We should probably define "sandbox", since it can mean a number of
> things.  For me, I don't want my web browser to have access to any part
> of my system that I haven't explicitly given it permission to access;
> Debian and Ubuntu certainly don't do that type of sandboxing (because I
> can use `file://' to any part of the system), but they _do_ include
> apparmor profiles for Firefox.
>
> With my Guix configuration, I run IceCat from within a container and,
> consequently, it is rather well isolated.

Nice.

Yes, I spoke to rms again, it seems we should generally encourage
distros to sandbox it rather than bothering users.

- Ian