Web start sandboxing and security
Jiri Vanek
jvanek at redhat.com
Sun Dec 1 23:39:23 PST 2013
On 12/01/2013 02:24 AM, Fernando Cassia wrote:
>
> On Fri, Oct 18, 2013 at 3:14 PM, Andy Lutomirski <luto at amacapital.net <mailto:luto at amacapital.net>> wrote:
>
> Even if the app is signed, there should still be a way to run it in
> the sandbox. I've yet to encounter a JNLP app in the wild that has
> any legitimate reason to do anything other than access the internet,
> create some temporary files, and occasionally use the file picker.
> Let me run it in the sandbox, please.
>
>
This is intresting idea, to have "Aplication is signed, trust/dont trust" dialog extedned to "Aplication is signed, trust/dont trust/run in sandbox"
I'm not sure how hardor even safe will be to implement it, but there can be anther solution. Andrew Azores is working on policy.tool, which should do exactly waht you wont.
Although application X is requesting permissions A B C, you specifi in policy file that it can use only eg B. So when app. X will request A and C it will get permission denied.
Is it what you wont?
Maybe when this will be safely in and tested, we can add the "run in sandbox" button, which will just create tmo policy for application.
However this development is tricky work, and althogh we are trying to get it into next (1.5) release, we are not sure if we will make it.
J.
More information about the distro-pkg-dev
mailing list