Flatpak does seccomp syscall filtering like Docker containers does on Linux
"Move all seccomp filters to xdg-seccomp-filters project"
https://github.com/flatpak/flatpak/issues/4466
- Is there a limited set of syscalls for bin/python in general use?
- A given application which uses Python only need
There must be capabilities/permissions specified in wheel package
manifests:
OCI Open Container Interface specs are implemented in e.g. Podman and
buildah but not yet in Docker (moby engine) or BuildKit, fwiu. Like Docker,
Podman works on Linux//Mac/Windows.
The OCI specs do not specify how or w
I'm of the opinion that trying to sandbox an otherwise unaltered
runtime and standard library will run into the same walls as previous
attempts. My sense of this is if the Python community had the appetite
for effective fine-grained access control policies, it would require
embedding enforcement in
On Thu, 2 Mar 2023 at 06:30, Lucas Wiman wrote:
> One way this could be implemented is by providing some primitives for
> sandboxing subprocesses. E.g. in the requirements file add an optional
> section for sandbox directives that will cause the import to be executed in a
> subprocess with a re
On Sun, Feb 26, 2023 at 7:31 AM python--- via Python-ideas <
python-ideas@python.org> wrote:
> Supply chain attacks are becoming a pressing concern in software
> development due to the large number of dependencies and multiple attack
> vectors. Using third party modules (libraries, packages etc)
Hi Aarnav,
You are right that supply chain attacks are a growing concern in software
development, and limiting access to sensitive APIs can be a useful mitigation
strategy. Python is no exception to this and could benefit from such
functionality.
Your experiment with cpython is interesting, an
