Hello, Am 09.07.22 um 13:32 schrieb Matěj Cepl:
Sadly we do not have a mechanism like pledge (from openbsd) where an application could state "after that stage, i just need read privileges on THAT directories" and the OS drops privileges for the rest.
We have SELinux.
SELinux does not have the same capabilities as pledge/unveil/landlock as SELinux does not know anything about the internal working structures, but the application knows when it can drop capabilities or privileges. But on the other side, it needs upstream developer support. Which is not necessary with SELinux. Kind regards, Dennis -- Dennis Knorr, dennis.knorr@suse.com SUSE Software Solutions Germany GmbH Frankenstraße 146, 90461 Nürnberg, Germany Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman (HRB 36809, AG Nürnberg)