Posted Feb 2, 2010 0:35 UTC (Tue) by jamesmrh
In reply to: Sanboxing
Parent article: Security in the 20-teens
It's a Fedora 12 feature.
I think it'd be useful to transparently sandbox some applications, and then perhaps break the sandbox if the user initiates an action which requires access outside.
e.g. all pdf viewing is sandboxed by default, but if the user wants to save the file, the sandbox is disabled for that access (need to ensure that the user clicked save w/ trusted path). Complex apps like firefox are more difficult, but not impossible.
One of the points that was advanced in favor of seccomp was that there's no "off switch" like there is for seLinux
Disabling SELinux can be prevented (modulo kernel bugs).
to post comments)