freebsd security - Nov 2006 - Sandboxing

Hi.

This is mostly hypothetical, just because I want to see how knowledgeable
people would go about achieving it:

I want to sandbox Mozilla Firefox. For the sake of example, I'm running it
under my own user account. The idea is that it should be allowed to
connect to the X server, it should be allowed to write to ~/.mozilla and
/tmp.

I expect some configurations would want access to audio devices in
/dev, but for simplicity, that's ignored here.

All other filesystem access is denied.

Ready...

Go!

MC

On 08/11/06, mal content <artifact.one@googlemail.com>
wrote:
> Hi.
>
> This is mostly hypothetical, just because I want to see how knowledgeable
> people would go about achieving it:
>
> I want to sandbox Mozilla Firefox. For the sake of example, I'm running
it
> under my own user account. The idea is that it should be allowed to
> connect to the X server, it should be allowed to write to ~/.mozilla and
> /tmp.
>
> I expect some configurations would want access to audio devices in
> /dev, but for simplicity, that's ignored here.
>
> All other filesystem access is denied.
>
> Ready...
>
> Go!
>
> MC
>
I forgot to add: Use of TrustedBSD extensions is, of course, allowed.

On Thu, 9 Nov 2006, mal content wrote:
> Nobody sandboxes on FreeBSD?

man jail(8)