Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It would be useful to have different levels of restrictions for various modules within a single process, which I don’t think pledge can do.


I don't think it's a bad idea, but currently packages aren't written with adversarial packages in mind. E.g. requests in Python should have network access, but probably not if it's called from a sandboxed package, but you might be able to trick certain packages into calling functions for you without having your package in the call stack (e.g. asyncio event loop or Thread). I think any serious attempt would get pushback from library authors.

Also it's hard to argue against hard process isolation. Specter et al are much easier to defend against at process boundaries. It's probably higher value to make it easier to put sub modules into their own sandboxed processes.


> It would be useful to have different levels of restrictions for various modules within a single process, which I don’t think pledge can do.

Sure: the idea could be improved a lot. And then there is the maintenance burden. Here, perhaps a step forward would be if every package author would provide a "pledge" (or whatever you want to call the idea) instead of others trying to figure out what capabilities are needed. Then you could also audit whether a "pledge" holds in reality.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: