top | item 43144306

(no title)

aomix | 1 year ago

Everything I've read about pledge and unveil really admire the approach and the results but it didn't seem to have a big impact outside of OpenBSD. It took ~20 years for OpenBSD's CSPRNG to be re-implemented everywhere else maybe we're operating on a similar timeline here.

discuss

hellcow|1 year ago

https://justine.lol/pledge/

While not the same, this is a SECCOMP-based Linux alternative (and it can even be used to restrict pre-compiled binaries).

eyberg|1 year ago

We definitely took inspiration and implemented in the nanos unikernel cause we think it's a great idea:

https://nanovms.com/dev/tutorials/applying-sandbox-security-...

saagarjha|1 year ago

This is generally how modern systems do sandboxing.