[cap-talk] Google Chrome - web browser with sandboxed rendering
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Sep 4 03:31:26 CDT 2008
On Thu, 2008-09-04 at 08:23 +0200, Rob Meijer wrote:
> In Linux you could use AppArmor to confine access to the filesystem to a
> minimum, uid based rules in iptables to deny all initiation of networking,
> and unix domain sockets for communication of filesystem and networking
> handles.
You mean Plash right? ;)
Caveat: Plash uses chroot jails rather than apparmor (which allows much
greater flexibility) and does not yet deny network access, although
using iptables to filter from specific uids mightn't be such a bad way
to go. Mark, have you thought about using this approach for networking?
Cheers
Toby
More information about the cap-talk
mailing list