top | item 40033903

(no title)

Since the author mentioned rewriting it in Rust, I recently added support to my library extrasafe that allows you to sandbox your own code: https://harrystern.net/extrasafe-user-namespaces.html

So if you wanted to call ffmpeg or some other C library with complicated user-provided data, you can use extrasafe's Isolates (along with its seccomp and Landlock features) to sandbox the call. I'm not really sure how suited it is for rewriting something like bubblewrap or firejail, but it might be interesting to try.

discuss

No comments yet.