|
|
|
|
|
|
by cookiengineer
538 days ago
|
|
|
I first read it as a joke, but come to think of it...this would be actually quite awesome for malware isolation and sandboxing. Giving software/apps different fake profiles that look like different identities on the filesystem would be quite the feature. You would have to have some kind of launcher where you can select the isolated chroot/sandbox you want to run that specific program in. Implementation-wise this could actually be done with eBPF, as most if not all syscalls can be intercepted and "farbled" (Brave's terminology) there. Features-wise this would probably be a separate filesystem for each program context, plus the things that firejail implements in userspace. Shared libraries would have to be loaded separately into memory, and glibc would have to be changed to not use any environment variables or debugging related function calls. Welp, maybe docker+xorg is easier. |
|
|