In association with heise online

23 September 2009, 09:39

Fedora 12 demonstrates sandbox for desktop applications

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security-Enhanced Linux (SELinux) specialist and Red Hat developer Dan Walsh has souped up the security mechanisms in Fedora and SELinux by adding a desktop sandbox which he's calling "sandbox -X". Users can run desktop applications of their choice inside his sandbox, which then protects the underlying system from any possible damage.

Fedora 12
Zoom A browser started inside the sandbox is unable to damage the host system.

SELinux extends the standard Unix privileges concept to add a role-based privilege model which, in principal, allows a user to forbid a PDF viewer from, for example, sending email. Currently, however, SELinux is mainly used to wall off server services.

Dan Walsh is now looking to change this and has designed a desktop sandbox. This can, for example, be used to run Firefox in an isolated environment, consisting of temporary directories, a unique X Server instance – for which he uses Xephyr – and a special profile which defines the relevant privileges. Currently this must be called manually, for example with:

sandbox -X -t sandbox_web_t firefox

Sandbox -X is already in Fedora 12, scheduled for a November release, so interested users can already have a play. It is, however, likely to be a while before it becomes genuinely user-friendly, with the sandbox currently forgetting all user settings each time it is run and also being unable to copy and paste into the host system.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit