Comment by kentonv
10 years ago
You are correct that pledge itself (or seccomp+namespaces on Linux) does not form a useful sandbox. These mechanisms are useful for blocking out the world, but not for re-establishing access to certain resources that the app needs to do its job.
> "should be able to write only files that the local user has chosen via the save dialogue"
The web platform, incidentally, supports this! You can invoke a "choose file" dialog, and then your web page gets access to the one file the user chose.
In capability-based security circles, this pattern is called a "Powerbox". The pattern works especially well in capability systems, where it can be used to choose more than just files.
No comments yet
Contribute on Hacker News ↗