On Saturday 4 February 2017 11:00:12 PM IST Leonid Isaev wrote: > > Exactly. If I am running chromium with firejail, which whitelists what > > chromium can do to the file system(even better with --private); the > > browser > > cannot tamper with .profile/.bash_profile or .ssh. > > See, this is the problem: Why would a browser need these files? File access > should only be possible with user interaction (via a file-open dialog).
Ideally, it doesn't. But programs have bugs and its nice to restrict them if those happens. Chromium just just an example. Here is something firejail(again an example sandbox) would prevent. https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/ -- Regards Shridhar