Hey Guys,
I would like like to discuss with you the combination of firejail with miab. I think it would make it better even when some vunerability happens to nginx or php.
What do you think: pro, con or it depends …?
As a general rule, I don’t accept changes that fix hypothetical vulnerabilities. The primary reason is that if it’s hypothetical, there is no way to verify that the change is actually providing any security, and every change comes at a cost in terms of maintainers’ time and increasing the knowledge users need to know to operate a Mail-in-a-Box, so the cost outweighs an unverifiable benefit. If you can demonstrate an actual security issue that this would solve, then I am totally open to considering it.
What IS firejail, exactly?
“Firejail is an easy to use SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities.”
according to https://wiki.archlinux.org/index.php/Firejail