Hacker News new | ask | show | jobs
by hypeatei 235 days ago
OpenBSDs pledge is so simple and nice to use. I really wish Linux would incorporate it. Seccomp is a nightmare to implement.
2 comments
rootnod3 235 days ago
I'd rather have a simple coarse-grained mechanism than whatever feverdream that seccomp, selinux and apparmor are. A convoluted mess incorporating almost Turing complete languages that are just asking to shoot yourself in the foot a mile deep.

The simplicity of pledge is good enough for 99% of use-cases I'd wager AND easy to add to existing code.

link
eikenberry 235 days ago
There is a port...

    https://github.com/jart/pledge

    https://justine.lol/pledge/
link
hypeatei 235 days ago
That uses seccomp under the hood and requires a custom libc, I think?

Definitely a nice project, but I don't know if I'd use it in production.

link