[revelio]

We must start systematically sandboxing developer tools. It's scary how sensitive dev workspaces are, and how much random crap we run. After decades of training the world's parents and grandparents not to download and run programs from untrusted sources we now routinely do it ourselves.

[jagrsw]

Most reasonable companies/projects do that. I believe the compiler explorer project - https://godbolt.org/ - uses nsjail or maybe firejail for that - https://github.com/compiler-explorer/compiler-explorer/tree/...

  asm(".section .text\n"
      ".global ls\n"
      ".global le\n"
      "ls:\n"
      ".incbin \"/etc/passwd\"\n"
      "le:\n");

  int main() {
    extern char ls __asm__("ls");
    extern char le __asm__("le");
    write(1, &ls, &le - &ls);
  }