alt Hacker NewsI agree granting processes permission to read any file is unsustainable.
In Linux, sandboxing with Firejail or bwrap is quite easy to configure and allows fine-grained permissions.
Also, the new Landlock LSM and LSM-eBPF are quite promising.
I agree granting processes permission to read any file is unsustainable.
In Linux, sandboxing with Firejail or bwrap is quite easy to configure and allows fine-grained permissions.
Also, the new Landlock LSM and LSM-eBPF are quite promising.