From owner-freebsd-security@FreeBSD.ORG Wed Nov 8 12:41:55 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EF2F16A412 for ; Wed, 8 Nov 2006 12:41:55 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 033F343D49 for ; Wed, 8 Nov 2006 12:41:54 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by wr-out-0506.google.com with SMTP id 71so451151wri for ; Wed, 08 Nov 2006 04:41:54 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=T/9HOShrTL1XnbI/tsl3bY7bDoTwv3ETaKBaj9oIvBPAMkvMWikYjQuE5tMdo5ivbw48my9afF71jA0yBVb4S7SLYGso9WWyenAC4YHkbx1PBT1OTAFIZDuL6gHnbWeJqrH1IaGn+Yor5aTxMsmLJ9FpkZST8ehHz6c30p47KXw= Received: by 10.65.20.15 with SMTP id x15mr12082638qbi.1162989712790; Wed, 08 Nov 2006 04:41:52 -0800 (PST) Received: by 10.65.237.20 with HTTP; Wed, 8 Nov 2006 04:41:52 -0800 (PST) Message-ID: <8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com> Date: Wed, 8 Nov 2006 12:41:52 +0000 From: "mal content" To: freebsd-security@freebsd.org In-Reply-To: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com> Subject: Re: Sandboxing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Nov 2006 12:41:55 -0000 On 08/11/06, mal content wrote: > Hi. > > This is mostly hypothetical, just because I want to see how knowledgeable > people would go about achieving it: > > I want to sandbox Mozilla Firefox. For the sake of example, I'm running it > under my own user account. The idea is that it should be allowed to > connect to the X server, it should be allowed to write to ~/.mozilla and > /tmp. > > I expect some configurations would want access to audio devices in > /dev, but for simplicity, that's ignored here. > > All other filesystem access is denied. > > Ready... > > Go! > > MC > I forgot to add: Use of TrustedBSD extensions is, of course, allowed.