hngopher.com

       [HN Gopher] Capsicum-rs: Rust bindings for the FreeBSD Capsicum ...
       ___________________________________________________________________
        
       Capsicum-rs: Rust bindings for the FreeBSD Capsicum framework
        
       Author : todsacerdoti
       Score  : 53 points
       Date   : 2022-11-10 12:08 UTC (10 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | mdaverde wrote:
       | It would be nice to see a comparison of FreeBSD's capsicum vs
       | OpenBSD's pledge vs Linux's landlock features. It seems to me
       | that the general vision of these projects have overlap but the
       | implementations wildly differ.
       | 
       | Another question I have is that we haven't seen popular adoption
       | of "capability-aware" Linux programs prior to the above efforts.
       | While obviously it would be beneficial for users for developers
       | to adopt these patterns, I'm skeptical these will start to take
       | hold now? Possibly the adoption method will be runtimes that do
       | this under the hood before fork/execve the application?
        
         | yakubin wrote:
         | The visions of capsicum and OpenBSD's pledge and unveil are
         | wildly different. Capsicum is designed with the assumption that
         | you may want to use it for sandboxing untrusted programs.
         | OpenBSD's pledge and unveil assume the program is benevolent,
         | but may be buggy, such as httpd which could receive specially
         | constructed input over the network, manipulating httpd into
         | giving a root shell. Pledge and unveil restrictions are not
         | inherited across exec syscalls, so you cannot write a utility
         | which would run a third-party program with restricted
         | privileges.
         | 
         | Of course it also means that benevolent programs, which weren't
         | written specifically with OpenBSD in mind, aren't protected. So
         | e.g. I'd feel more comfortable running cgit in a FreeBSD jail
         | than on OpenBSD trying to cobble something together with just
         | chroot.
         | 
         | Linux landlock is modelled after pledge and unveil as far as I
         | know.
        
       | anderspitman wrote:
       | I dream of a simple, cross-platform API for sandboxing. Imagine
       | if forking/spawning a process sandboxed it by default and you had
       | to pass in all resources a la WebAssembly.
        
       | ComputerGuru wrote:
       | It would be great for this to be a no-op (except the sandboxed()
       | function) on non-FreeBSD platforms so you could use it without
       | worry. It would be trivial to do so with rust's conditional
       | target-based compilation.
        
       ___________________________________________________________________
       (page generated 2022-11-10 23:02 UTC)