Poor Man's Browser Sandboxing

rvp

A recent email exchange with @JuvenalUrbino recalled to mind a rather neat way to do browser "sandboxing". It's not a new idea (Android does this for all its apps after all), but, this is how we used to isolate programs back in the days when virtualization meant running Bochs instances. I present:

the Poor Man's Browser Sandboxing

You can use the same technique for other large Xorg programs.

JuvenalUrbino

rvp You can use the same technique for other large Xorg programs.

Illumos folks do a lot of this stuff. Specifically, a convenient way of running modern web browsers and other complex programs which do not support Solarish any longer, is to spin up a LX zone and do ssh x11 forwarding from it.

nia

There's something to be said for taking advantage of the classic unix features for this sort of thing, see the old extremesandbox.c example 🙂

JuvenalUrbino

nia There's something to be said for taking advantage of the classic unix features for this sort of thing

I always thought sandboxctl to be a perfect example of this traditional Unix on steroids sort of thing.