Walsh: Introducing the SELinux Sandbox

Running the plugins in a separate (restricted) process is only part of the solution; one should handle all code and data from a webserver as untrusted. The Chrome way: splitting off download and rendering of a webpage into a separate process allows to sandbox the most critical part of webbrowsing.

I think that it is correct to "taint" OOo after it has read an untrusted document... who tells me that it doesn't contain bad macros? (It appears that Dan Walsh balanced "ease of use" and "security" differently.)