dz...@disroot.org wrote: > If there isn't - what about changing the kernel so unveiled paths persist > between execs? That would allow very easy container-like sandboxing.
This last sentence bothers me a lot, I am extremely jaded having heard the same ideas over and over and over. "very easy" is not thought through to the end. unveil and pledge are not container-like sandboxes. I wish people would stop trying to assume highly-detailed technologies for one problem domain can automatically satisfy some other problem domain. unveil and pledge exist for a process to *PROTECT AGAINST IT'S OWN MISBEHAVIOUR*. If you use "exec", you have intentionally and visibly opened an escape hatch to run other programs, which are EXPECTED to self-protect against their own misbehaviour. Sandboxes are for little children with tonka trucks.