| Flatpak manifests include a list of ACLs per app. Flatseal is one way to change the permissions granted to a flatpak. Restarting an app is required for permissions changes to take effect. Audit2allow and desbma/shh can generate policies. systrack, list-syscalls.rb, "B-Side: Binary-Level Static System Call Identification"; https://news.ycombinator.com/item?id=46726677 /? which linux lsm's allow online policy changes:
https://www.google.com/search?q=which+linux+lsm%27s+allow+on... Writing to securityfs requires root privs. > for resource metering. Also for optimization with objective costs. > It's closer to metered execution than sandboxing, Linux cgroups support resource quotas. Systemd supports specifying per-unit resource quotas. /? what part of linux containers supports resource quotas? profiling? opcode counting? what part of linux containers supports resource quotas? profiling? opcode counting? >> Opcode Counting: This is typically done through hardware counters and kernel instrumentation, specifically using perf_events and eBPF (specifically tracepoints or kprobes Kernel docs > admin guide > perf_events:
https://docs.kernel.org/admin-guide/perf-security.html : > Usage of Performance Counters for Linux (perf_events) [1] , [2] , [3] can impose a considerable risk of leaking sensitive data accessed by monitored processes. How to mitigate such concerns with lower-level opcode counting for eWASM? Brendan Gegg's > perf examples: https://www.brendangregg.com/perf.html , and BPF/Perf book: https://www.brendangregg.com/bpf-performance-tools-book.html I respectfully doubt that it's safe to trust runtime sandboxing. Containersec folks can probably explain why userspace filtering can never solve as well bubblewrap README > Sandboxing: https://github.com/containers/bubblewrap#sandboxing arch wiki > Bubblewrap > Using portals; XDG Desktop Portal: https://wiki.archlinux.org/title/Bubblewrap#Using_portals > cloudflared/workerd:
https://github.com/cloudflare/workerd : >> WARNING: workerd is not a hardened sandbox wasmtime-mte requires support for ARM64 Memory Tagging Extensions. |