Comment by OJFord

3 days ago

Ah, I was excited by 'sandboxing on Linux', but it's only for build.

How many more supply chain attacks will it take for someone to build a really great sandboxing/permissioning system, that's easy enough to use that we actually use it?

Say I install an `ls` alternative (because it's on the HN front page as 'ls but in lang du jour' or whatever) – it should be really simple for me to allow it read-only access to only the passed directory. I don't think firejail or apparmour even supports that, and it'd probably take me half a day to figure it out in bubblewrap.

I just want a mobile-OS style pop-up the first time programs try to do something for me to deny, approve always, approve this time, approve by dir, or custom thing matching on the args.

2 comments

OJFord

Reply
gcr  3 days ago

Sounds like a great idea, thanks for volunteering to pitch in and help!

  • OJFord  3 days ago

    It wasn't a criticism, I was just excited for a second thinking "Homebrew's doing this, I trust that it's probably doing it well, I definitely want to check this out".