AnotterKiosk
AnotterKiosk copied to clipboard
Pad Chromium in bubblewrap
bubblewrap is a nice little sandboxing tool, which (amongst other things) allows users to filter syscalls of a process. The Chromium process could be limited to a very small number of syscalls, limiting the attack surface against the linux kernel.
A successful exploit would then need:
- a Chromium exploit (V8, etc.)
- a sandbox escape
- bubblewrap escape (with limited syscalls from a non-privileged user)
- Linux kernel local privilege escalation (from user to root/kernel)