Quote:
Originally Posted by e1-531g
Do you think that using Unix file permissions (DAC) is there a way to provide basic process isolation?
|
Processes are not isolated. But filesystem permission bits can be used for data access restriction. For example, you might have two userids on a workstation -- one for using untrusted browsers, and one for everything else. If you chmod(1) the $HOME directory of your "everything else" userid so that it can only be accessed by the owner, other userids (aside from the superuser) will not have access to it.
Quote:
Or I should use chroot + systrace.
|
With some effort, you could use chroot(8) -- but the entire userland the browser uses would need to be replicated. This is not a trivial task.
You mention systrace(1). It should not be used as a security tool, see the BUGS section of the man page. It is a system call policy governance tool. System calls not pre-approved will cause the application to be killed. Setting up a systrace policy rule set is complicated for any application, and changed to the application may require revisiting the rules. Browsers, due to their inherent complexity, may be much more difficult than other applications.
My only use of systrace these days is during port build testing -- and that is because the Project provides a
systrace.policy for port builds.