undefined | Better HN

0 pointsmholt2y ago0 comments

If you want a sandboxed unit file, why not just sandbox it yourself?

0 comments

Sandboxing it yourself is fraught because any new feature could cause things like a syscall filter to crash the app. It has to be part of the application build/test/release process to prevent that, like it is in SWS.

Besides, we should be creating and using software that is secure by default: https://www.cisa.gov/sites/default/files/2023-06/principles_...

mholtOP2y ago

Ah yes, I agree Linux should not let processes have a set of permissions that large by default.

j / k navigate · click thread line to collapse

0 comments

cyrnel2y ago

Besides, we should be creating and using software that is secure by default: https://www.cisa.gov/sites/default/files/2023-06/principles_...

mholtOP2y ago

Ah yes, I agree Linux should not let processes have a set of permissions that large by default.

j / k navigate · click thread line to collapse