block access to most of etc?
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Arkose - Desktop Application Sandboxing |
New
|
Undecided
|
Unassigned | ||
Bug Description
Blueprints don't seem to be setup so adding here hope that's ok.
It would be nice if any unecessary files in etc were not present in the sandbox at all. I can see this being fidly to setup and maintain depending on what is required of the sanbox. I presume one could just create a dummy etc and bind mount it? What if however the preference was to blacklist a few files e.g. certificates and the password file and make sure they were not present in the sandbox (unless specifically required). Alternatively it might be nice to have different versions of etc depending on the sandbox type e.g. does the browser actually need anything in etc? Perhaps another reason to create profiles to be used with the sandbox e.g. like the wrapper conf but for arkose itself and hence without prompting.
| daemon dog (nodenet-1) wrote | #1 |
One difference an arkose profile might have over a wrapper conf file is there probably wouldn't need to be a cmd specification in the profile as I would guess this would be applied to whatever one is starting via arkose at the time. As mentioned in my other comments might be nice if a profile could be picked up automatically and perhaps within the desktop enviornment for a sandbox with the applicable profile to be applied to an application by default.
Might also be nice if binding the Downloads directory in home was an option rather than all of home (just wondering if this might be a useful default?).