Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I was exploring the actual implementation[0] of a capabilities feature in Nodejs and was utilising seccomp (via libseccomp) on Linux at least to achieve a greater degree of security than might otherwise be possible by remaining in userland code. The idea is that you'd write your code, import whatever you like and define your capabilities upfront at initialisation. The problem is there's quite a big disconnect between what you are doing in JavaScript and what's happening with system calls in v8, libuv and the other native parts that it's difficult to predict what you need to block and what's actually going to happen. So I don't think my approach is really viable in a general sense, although capabilities in general I think would improve the situation if the wider community were to adopt the approach.

[0]. https://github.com/roryrjb/node-seccomp



Cool.

OS level code, realistic discussion of issues and approaches.

Thanks for the contribution.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: