hngopher.com

       [HN Gopher] Landlock: Unprivileged Access Control
       ___________________________________________________________________
        
       Landlock: Unprivileged Access Control
        
       Author : ptx
       Score  : 34 points
       Date   : 2024-03-30 16:06 UTC (6 hours ago)
        
 (HTM) web link (docs.kernel.org)
 (TXT) w3m dump (docs.kernel.org)
        
       | fifteen1506 wrote:
       | Cool, more security mechanisms. In return, can I now use
       | Skyshowtime on Linux?
        
         | yjftsjthsd-h wrote:
         | Unrelated; this protects the machine for the user, DRM protects
         | it against the user.
        
       | MawKKe wrote:
       | related to recent events?
       | https://old.reddit.com/r/linux/comments/1brhlur/xz_utils_bac...
        
       | rdtsc wrote:
       | On the surface this seems similar to seccomp
       | https://www.man7.org/linux/man-pages/man2/seccomp.2.html
        
         | viraptor wrote:
         | It's way simpler. Seccomp is a pita to keep current and
         | complete. Landlock is higher level with concepts of filesystem
         | locations rather than basic low level ops.
        
           | rdtsc wrote:
           | Thanks for explaining. I had tried using seccomp in some
           | previous incarnation, before it allowed passing in ebpf
           | filters, and it was just too restrictive so had to abandon
           | that effort.
        
       | alpb wrote:
       | xz maintainer just pushed this "CMake: Fix sabotaged Landlock
       | sandbox check." commit
       | https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd...
        
         | radicality wrote:
         | Which was sneakily introduced here:
         | https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2...
        
           | sega_sai wrote:
           | Even knowing that it was a dot added, I could not quite
           | easily find this in the diff. Scary...
        
           | tadfisher wrote:
           | Wow, just the process of sneaking in this exploit has layers.
           | Here, it's the presentation of diffs with "+" and "-" line
           | prefixes creating noise that's easy to miss. I bet we'll
           | start seeing tools add a divider between the prefix column
           | and the contents to make changes like this easier to spot.
           | 
           | That said, does GCC accept every non-printing character as
           | whitespace? If not, they could probably have achieved the
           | same thing with a narrow-nonbreaking-space character or
           | similar.
        
       ___________________________________________________________________
       (page generated 2024-03-30 23:01 UTC)