Dne 06. 07. 22 v 15:04 Dennis Knorr napsal(a):
Do you trust /bin/ls ? vim ? should they also be sandboxed ?
I do trust /bin/ls (more or less)? I absolutely do not trust vim with its various plugins which can do whatever. It is hard to do it for the universal text editor, but I think we are in a desperate need for some kind of protection against it (probably SELinux would be better tool here than docker/flatpak, though).
Sadly we do not have a mechanism like pledge (from openbsd) where an application could state "after that stage, i just need read privileges on THAT directories" and the OS drops privileges for the rest.
We have SELinux. Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Somewhere at the edge of the Bell curve was the girl for me. -- Based on http://xkcd.com/314/