Why we do confine Firefox
by Sven Vermeulen, post on Tue 11 August 2015If you're a bit following the SELinux development community you will know Dan Walsh, a Red Hat security engineer. Today he blogged about CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox. He should've asked why the reference policy or Red Hat/Fedora policy does not confine Firefox, because SELinux is, as I've mentioned before, not the same as its policy.
In effect, Gentoo's SELinux policy does confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to develop desktop policies in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.
My application base: firefox
by Sven Vermeulen, post on Fri 07 June 2013Browsers are becoming application disclosure frameworks rather than the visualization tools they were in the past. More and more services, like the Draw.io one I discussed not that long ago, are using browsers are their client side while retaining the full capabilities of end clients (such as drag and …