-
https://lore.kernel.org/linux-security-module/c1c9c688-c64d-adf2-cc96-dc2aaaae5944@digikod.net/
When a process accesses a file on eCryptfs, the kernel accesses the encrypted underlying file for it …
-
We currently perform testing on a set of synthetic filesystems (e.g. tmpfs, proc, sysfs) thanks to the [`layout3_fs` test variants](https://github.com/landlock-lsm/linux/blob/v6.7/tools/testing/selfte…
-
### Checklist
- [X] I agree to follow the [Code of Conduct](https://github.com/flatpak/flatpak/blob/main/CODE_OF_CONDUCT.md) that this project adheres to.
- [X] I have searched the [issue tracker](ht…
-
We can now control TCP actions (`bind(2)` and `connect(2)`), and it would be useful to have a similar semantic for UDP. It's a bit tricky because of the datagram nature of UDP though.
However, it s…
-
To ensure that all inputs of a command are specified, prevent that a command can access other files in the repository.
15.12.2022 I'm working on realizing it the following way:
- use linux namespa…
-
Before enforcing a sandbox on a fleet with potential different configurations and states, it would be useful to know whether a restriction would have an effect on legitimate use cases. By being able t…
l0kod updated
4 months ago
-
Make use of namespaces(7) to harden Cloud Hypervisor's security.
Firecracker uses a separate program called `jailer`. Virtiofsd uses `unshare` directly in the main program. CrosVM uses https://goog…
liuw updated
3 months ago
-
Add an optional mechanism for sandboxed builds which only makes available the listed dependencies in the `depends` file
Advantages
* Accurate `depends` file - no missing `make` depends
* Possib…
-
### Issue Kind
Brand new capability
### Description
The recent xz dilemma made me think about trust (among other things) and because poetry is central to the python ecosystem I wanted to bring this…
-
### Check for existing issues
- [X] Completed
### Describe the feature
Related to #12354. Language servers downloaded by Zed have full access to everything on the machine. This is problematic from …