Hacker News new | past | comments | ask | show | jobs | submit login

How come?



They're based on blacklisting rather than whitelisting. Security based on blacklisting means you're always going to forget to ban some critical thing. It's why trying to allow HTML but filter out `<script>` tags never works.

An example of whitelisting would be a capability based OS like Fuchsia or a custom non-HTML markup like Markdown that you then allow to use specific safe features like formatting (yeah I know about HTML in Markdown).

That said, this approach is probably the best you can do in Linux by a long way. I can definitely see use cases - e.g. all those services that have to use ffmpeg to transcode videos should definitely use something like this.


Are you saying this about SECCOMP and Landlock? Just to be clear:

- unveil(), based on the Landlock LSM, is a function which whitelists files.

- pledge(), based on SECCOMP BPF, is a function which whitelists system calls.


Yeah, though looking through the code it does actually look very solid. I didn't see that you actually whitelist `/proc/cpuinfo` before.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: