Follow

might be interesting: a new process isolation method was just merged into the kernel, landlock, that does not itself need special permissions to use, and has object instead of syscall granularity

docs here: landlock.io/linux-doc/landlock

patch set: lore.kernel.org/lkml/11a1adfd-

· · Web · 1 · 4 · 12

@orionwl
Object Capability Security is the crab of infosec. Everything eventually evolves into it.

@cjd @orionwl Even if it's just a hyper-specialized, per-thread ACL mechanism and doesn't involve actual capabilities.

@vertigo @cjd @orionwl <snark>I see Linux is finally catching up to where FreeBSD was nearly a decade ago w.r.t. OCAP. And as usual the Linux version is far more complicated and will probably be riddled with security holes due to the much larger attack surface.</snark>

(The snark tags mean you can't argue with me.)

@vertigo @cjd @orionwl (Also I use Linux and not FreeBSD so you doubly can't argue with me.)

@freakazoid @cjd @orionwl Meanwhile, the Plan 9 devs are keeling over with oxygen deprivation from laughing at both Linux and *BSD communities so hard.

And, I can't say I blame them.

@vertigo @cjd @orionwl My concern about Plan 9 is that it's gone a ways down an evolutionary path I don't think makes sense anymore. It's like an alternate history that can never be merged into this one.

@freakazoid @cjd @orionwl I would argue that the only reason this alternate history cannot be merged into this one is because no one bothered to try, and now it's too late.

@freakazoid @vertigo @cjd its okay i don't ever argue anymore, i just cheer anything i see as even a small improvement

Sign in to participate in the conversation
unidentified instance

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!