Comment by razighter777
Comment by razighter777 4 days ago
Yup. In the application code itself is where landlock shines at the moment.
It's becoming increasingly usable as a wrapper for untrusted applications as well.
Comment by razighter777 4 days ago
Yup. In the application code itself is where landlock shines at the moment.
It's becoming increasingly usable as a wrapper for untrusted applications as well.
Systemd's exec capabilities are great, but don't allow the application developer to dynamically restrict access rights to resources. So you could restrict a text editor for instance to the file it was launched to edit, instead of a hardcoded directory.
I don't understand why someone would wrap an untrusted application with their own code vs using something like Systemd's exec capabilities to do the same without having to have a binary wrapper. What benefits do you see over the systemd solution?