Quote:
Originally Posted by unSpawn
So how about Flash and JAVA?..
|
The "keep_domain any from /usr/bin/firefox" directive is supposed to keep flash java and vlc (I use the vlc plugin) confined in the same domain as firefox. This is the reasonably minimal set of permissions that allows this stuff to run safely (as far as tomoyo can go). You can go file by file for read permissions in /usr/lib64/ /usr/share or /etc/fonts ...., but it doesn't worth it. The policy allows read/write access only to config directories, Downlowads and /tmp /var/tmp. Read access in the home folder is limited to several files in "path_group FFX_HOME_RO". You can't use Ctrl+O to read a file in Firefox outside of allowed folders. Apart from the three allowed, nothing else can be executed. Java can't run /bin/sh for example. You can't run engrampa or xarchive to open a tar.gz file from Firefox. You have to download it to Downloads first. D-Bus is disabled too.
The goal is to run these plugins safely. Not to disable them.
Cheers