danwalsh (danwalsh) wrote,

How do I use sandbox -X

A couple of days ago I blogged about a cool new feature in Fedora 12 called sandbox -X.

Today I want to write about how I can use it within Firefox.

You should not trust any data that I download from the internet.  Even trustworthy sites have been hacked with acroread vulnerabilities.

How do you setup firefox to run sandbox -X evince on pdf files?

My first attempt failed.  Firefox does not allow you to specify a full command string to run downloaded content in, I needed to create a simple shell script.

cat ~/bin/sandboxevince
/usr/bin/sandbox -X evince "$@"

When you create this, remember to

chmod +x ~/bin/sandboxevince

In Firefox:

  • Select the Edit->Preferences menu item, which brings up the "Firefox Preferences" dialog.

  • Select "Applications" and entered pdf into the search dialog.  This brought up evince as the default.

  • Select  the "use evince" menu and select other.

  • Select ~/bin/sandboxevince

  • Save

Now I go to my favorite site,  and select a presentation

sandbox -X evince runs great !!!

You can go back and change all your acroread settings to use sandboxevince.

You can do the same for OpenOffice

cat ~/bin/sandboxooffice
/usr/bin/sandbox -X ooffice "$@"

chmod +x ~/bin/sandboxooffice

I searched for doc and changed that to use sandboxooffice

I did notice that some extensions were not in the list.  I had to go to a page with a odf file on it and tell firefox to  use sandboxooffice for this type for now on.

BTW,   Firefox leaks open file descriptors like a sieve, so I will need to add dontaudit policy to cover these up. Firefox developers know about the leaks but say "they can not do much about the leaks,  since plugins get added with leaks all the time."

Now I can feel a little safer as I browse the web.

It would be really great if firefox gave the ability to run all helper apps within a single command.

Now off to do the same with thunderbird.

  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened