Ya'll need to discover pledge(2), unveil(2) and privilege separation.
https://twitter.com/majek04/status/1034759172041129984 …
-
-
Yeah, doesn't really support the incremental dropping mechanics either, just a single policy to rule them all, nothing preventing going to other way either.
-
All aspects of a good privilege model should be incremental and irreversible drop. (No suid or setcap, etc.) With that you can make chroot, all namespace type operations unprivileged and safe.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.