logoalt Hacker News

smashinitoday at 2:11 PM2 repliesview on HN

So Linux can prevent an agent from opening /etc/passwd.

Linux cannot stop an agent from calling:

POST /wire-transfer amount=5,000,000


Replies

seethishattoday at 2:55 PM

Any LSM can stop that POST. SELinux, AppArmor, Tomoyo, etc. They are built-in to the kernel. You just need to know what you are doing to use them.

show 1 reply
__MatrixMan__today at 2:38 PM

You'd do that with a container and a layer 7 egress proxy rule e.g. mitmproxy.

Sure it's work to build such things, but building restraints into the app feels more reliable than playing whack-a-mole with scanner results.

Operating systems can probably do better to meet this need (e.g. capability based ones like fuchsia) but even as is their rules just feel so much more binding.

show 1 reply