52 points | by eshelyaron 3 days ago ago
3 comments
It's getting so very old - all I want out of a process is code autocomplete, but I have to grant it read & write permission to my entire disk and network. When do we get good permissions and sandboxing and isolation? This can't go on.
I agree granting processes permission to read any file is unsustainable.
In Linux, sandboxing with Firejail and bwrap is quite easy to configure and allows fine-grained permissions.
Also, the new Landlock LSM and LSM-eBPF are quite promising.
I build my own. Maybe I nee to externalize it...
It's getting so very old - all I want out of a process is code autocomplete, but I have to grant it read & write permission to my entire disk and network. When do we get good permissions and sandboxing and isolation? This can't go on.
I agree granting processes permission to read any file is unsustainable.
In Linux, sandboxing with Firejail and bwrap is quite easy to configure and allows fine-grained permissions.
Also, the new Landlock LSM and LSM-eBPF are quite promising.
I build my own. Maybe I nee to externalize it...