top | item 43449715

(no title)

l0kod | 11 months ago

For instance, with Pledge, the "dns" promise is implemented with hardcoded path in the kernel. Linux is complex because it is versatile and flexible. Controlling access to such features requires some complexity and the kernel might not be enough.

About interfaces, another example is that Unveil is configured with path names but Landlock uses file descriptors instead (more flexible).

Also, these OpenBSD primitives only apply to the current executed binary, there is no nested sandboxes because the goal is not to create this kind of secure environment but mainly to secure a trusted binary.

discuss

No comments yet.