Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Stop spreading misinformation. Hell stop replying to me. You're basically a cultist at this point with your irrational emotional devotion.

That's not a 'weaker version of pledge', it's part of a much larger framework with much greater enforcement capabilities.



I've used it. I know what it does. For a while, I've even run a linux with a slightly patched version of it for some quirky needs of my own.

seccomp-bpf is a more fragile version of pledge; you need to keep changing your sandbox whenever you upgrade glibc, because there's no mechanism to keep syscall usage in sync between the kernel and userspace.

It was fine for my case, because I was implemeting my own direct system calls, and froze any external dependencies, but it's typically very fragile across system and dependency upgrades.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: