Hacker News new | past | comments | ask | show | jobs | submit login

Everything I've read about pledge and unveil really admire the approach and the results but it didn't seem to have a big impact outside of OpenBSD. It took ~20 years for OpenBSD's CSPRNG to be re-implemented everywhere else maybe we're operating on a similar timeline here.



https://justine.lol/pledge/

While not the same, this is a SECCOMP-based Linux alternative (and it can even be used to restrict pre-compiled binaries).


We definitely took inspiration and implemented in the nanos unikernel cause we think it's a great idea:

https://nanovms.com/dev/tutorials/applying-sandbox-security-...


This is generally how modern systems do sandboxing.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: