# Sandbox Firefox?

## SnEptUne

Does anyone know if it is possible to run unsafe processes such as Firefox under sandbox environment, but still able to write to ~/.mozilla/* and have access to video and audio (such as flash and youtube)?

----------

## didl

You can use a RBAC implementation such as grsecurity in 

hardened-sources or RSBAC in rsbac-sources to do this.

----------

## SnEptUne

 *didl wrote:*   

> You can use a RBAC implementation such as grsecurity in 
> 
> hardened-sources or RSBAC in rsbac-sources to do this.

 

The problem is that I don't want to switch to another account just to browse the web for informations.  A security that hinders productivity is worse than being "secured" in the first place.

----------

## kang

 *SnEptUne wrote:*   

>  *didl wrote:*   You can use a RBAC implementation such as grsecurity in 
> 
> hardened-sources or RSBAC in rsbac-sources to do this. 
> 
> The problem is that I don't want to switch to another account just to browse the web for informations.  A security that hinders productivity is worse than being "secured" in the first place.

 

you don't need to switch to another account with any of these solutions.

With RSBAC for example, you can enable the JAIL module only (and not anything else), then replace your firefox start command by:

rsbac_jail <options> firefox

replace <options> by whatever you want to let firefox do (check your log output to see what accesses have been denied to firefox that you may want to give, eg right to change firefox process priority if you like -C SYS_NICE)

----------

## SnEptUne

I don't have the rsbac_jail command.  Which package is it from?

I am using hardened gentoo with grsec, which should includes RSBAC.

----------

## kang

 *SnEptUne wrote:*   

> I don't have the rsbac_jail command.  Which package is it from?
> 
> I am using hardened gentoo with grsec, which should includes RSBAC.

 

No, it doesn't include RSBAC.

You need to emerge rsbac-sources to get RSBAC.

The rsbac_jail command is in the package rsbac-admin. Check http://hardened.gentoo.org/rsbac or http://www.rsbac.org for documentation if you need (however if you only enable the JAIL module in the kernel config and start firefox with rsbac_jail firefox its quite easy)

----------

## SnEptUne

I see.  However, I still need GrcSecurity.  Is there no way to do so with hardened-source?  Or to simply start firefox as a different user?

----------

## GNUtoo

is there a possibility to do that with the stock kernel? or with selinux(i already have it running)

the stock kernel has namespaces...

and i don't have selinux on all the computers i manage...

so if i'm able to do it with both namespace and selinux that would be great...

the reason why i want t stock kenrel is that i don't want to be dependant on a kernel that is too old because of:

->important new features

->security: in case there is a security problem such as vmsplice or worse i get the fix quicker...because some of the computer i manage run proprietary software and don't have selinux...

----------

