You the idiot STILL fail to understand that this IS the kernel isolating resources. These are just utilities that use the existing kernel protocols to setup up sandboxes. All these tools docker, flatpak, snap, lxd, are using the same kernel features.
Flatpaks, Snapd, Etc
Dylan Carter
Lincoln Perry
Docker running some statically linked distro (suckless gang wins again) is better, and has actual features (load balancing over a cluster, for example) instead of dumb memes and a GUI.
Owen Bell
>this are the kernel isolating resources
I'll assume you're a secondary English learner.
Why would I implement these, than source compiling on a hardened [micro] kernel.
Explain to me the advantage.
Oliver Flores
Because compiling shit and then running it provides no isolation what so ever.
Jaxon Johnson
Look faggot grammar cucking is for reddit
Nathaniel Smith
Could a sandbox even work with something like Gimp? Being able to write images to any directory is something I would expect from an image editor.
Ian Brown
Snap and flatpak straight up make my software run faster. It's alright
Colton Martin
You could disable network access, have it use the secure mode x connection (can't key log you like x over ssh), limit it to your images folder (and the config folder), and then you have a way way way more secure image editor that can't destroy your user after you open a meme with an exploit in it.
Charles Davis
If this was improved on you could have a mode that isolates everything by default and then gives you a popup.
Things like this would make every day applications way more secure for the average user.
Chase Hughes
The desktop OS permissions model is just fucked and no amount of ghetto rigged patches will solve it, I am afraid. How many programs you have installed need full disk access? Your GIMP doesn't need access to anything else than media directories, nor most /tmp files; GIMP may be a benign and hard to exploit program, but what about Firefox? Why the fuck does it have access to your .bashrc? You know finding an RCE and then modifying it to load your backdoor is the easiest fucking way to install a userland keylogger to get your root password when using su or sudo from one of your terminals, then proceed to infect the rest of the system, right? Given, it is very obvious, but who checks their all their init files daily before writing their passwords?
Also, why the fuck are the kernel's security extensions only set-able by root? Why can't I, as a user, tell a program not to have access to certain kernel calls? In order to set up certain sandboxes, you need to invoke a SUID executable to set up all correct permissions, which kind of defeats the point of security.
We need to get our shit together. Sandboxing is a patch; a nice patch, but a simple patch over a gigantic hole, after all. Not all programs need access to every capability, and you don't need to escalate privileges to limit privileges. That's just stupid. The only OS that gets this more or less right is Android, and the rest of it is a dumpster fire so go figure.