Comment by cosmicriver

2 days ago

I am also surprised that capabilities weren't more widely implemented after mobile OSes demonstrated they are practical. I know Windows made a move in that direction with UAC but had to soften it due to user alert fatigue. So I guess having no legacy apps and a centralized repository helps.

I've recently been looking into Guix SD as a solution. Its package management is designed to keep programs independent of each other, so containers are cheap and lightweight. Trying out untrusted software is as easy as `guix shell --container --pure --no-cwd [program]`, which blocks access to the network, file system, and environment variables. Right now I'm adding more advanced capability management: limits on CPU, memory, storage space, network use, etc.

4 comments

cosmicriver

sterlind 2 days ago

I use nix + bwrap, which gives a similar result. it works well enough, though I really ought to restrict reads to only the closure.

yjftsjthsd-h 1 day ago
> I use nix + bwrap
In an automated way, or have implemented as hand-written wrappers? And regardless, have you published the code (and/or talked about how it works) anywhere? It'd be really nice to have a gentler onramp to sandboxing things, and nix should be well-placed for it.
- sterlind 16 hours ago
  
  an automated way, as part of a tree-based harness. I haven't published the code yet but should hopefully be able to soon!
  
  1 reply →