# I am the Watcher. I am your guide through this vast new twtiverse.
# 
# Usage:
#     https://watcher.sour.is/api/plain/users              View list of users and latest twt date.
#     https://watcher.sour.is/api/plain/twt                View all twts.
#     https://watcher.sour.is/api/plain/mentions?uri=:uri  View all mentions for uri.
#     https://watcher.sour.is/api/plain/conv/:hash         View all twts for a conversation subject.
# 
# Options:
#     uri     Filter to show a specific users twts.
#     offset  Start index for quey.
#     limit   Count of items to return (going back in time).
# 
# twt range = 1 16
# self = https://watcher.sour.is/conv/24f2qnq
movq
www.uninformativ.de
View Thread
How have I missed Linux’s landlock? 🤔 Maybe we’ll get something like OpenBSD’s pledge/unveil some day. For now, landlock appears to be more complicated, but we’ll see how it goes. Gotta play with this some time. 🤔
movq
www.uninformativ.de
View Thread
How have I missed Linux’s landlock? 🤔 Maybe we’ll get something like OpenBSD’s pledge/unveil some day. For now, landlock appears to be more complicated, but we’ll see how it goes. Gotta play with this some time. 🤔
movq
www.uninformativ.de
View Thread
How have I missed Linux’s landlock? 🤔 Maybe we’ll get something like OpenBSD’s pledge/unveil some day. For now, landlock appears to be more complicated, but we’ll see how it goes. Gotta play with this some time. 🤔
movq
www.uninformativ.de
View Thread
How have I missed Linux’s landlock? 🤔 Maybe we’ll get something like OpenBSD’s pledge/unveil some day. For now, landlock appears to be more complicated, but we’ll see how it goes. Gotta play with this some time. 🤔
prologic
twtxt.net
View Thread
@movq What does this do? 🤔
prologic
twtxt.net
View Thread
@movq What does this do? 🤔
movq
www.uninformativ.de
View Thread
@prologic It’s a way for a process to lock itself down.

One common pattern would be this: Early during startup, a process reads some configuration files. Once done, it can lock itself down and tell the kernel that it won’t need any further filesystem access at all (or only access to certain paths). If the process gets hacked later on, the attacker won’t be able to read files.

As I understand it, this is better than static restrictions like AppArmor and the likes, because those apply to the entire lifespan of the process.

And it’s much easier to use than something like chroot. OpenBSD’s pledge and unveil are particularly easy to use, making it feasible to use them in almost any program (not just the ones that you might consider “security critical”):

- https://why-openbsd.rocks/fact/pledge/
- https://why-openbsd.rocks/fact/unveil/

Even something like cal (that thing that prints a calendar) uses pledge in OpenBSD: https://github.com/openbsd/src/blob/master/usr.bin/cal/cal.c#L153
movq
www.uninformativ.de
View Thread
@prologic It’s a way for a process to lock itself down.

One common pattern would be this: Early during startup, a process reads some configuration files. Once done, it can lock itself down and tell the kernel that it won’t need any further filesystem access at all (or only access to certain paths). If the process gets hacked later on, the attacker won’t be able to read files.

As I understand it, this is better than static restrictions like AppArmor and the likes, because those apply to the entire lifespan of the process.

And it’s much easier to use than something like chroot. OpenBSD’s pledge and unveil are particularly easy to use, making it feasible to use them in almost any program (not just the ones that you might consider “security critical”):

- https://why-openbsd.rocks/fact/pledge/
- https://why-openbsd.rocks/fact/unveil/

Even something like cal (that thing that prints a calendar) uses pledge in OpenBSD: https://github.com/openbsd/src/blob/master/usr.bin/cal/cal.c#L153
movq
www.uninformativ.de
View Thread
@prologic It’s a way for a process to lock itself down.

One common pattern would be this: Early during startup, a process reads some configuration files. Once done, it can lock itself down and tell the kernel that it won’t need any further filesystem access at all (or only access to certain paths). If the process gets hacked later on, the attacker won’t be able to read files.

As I understand it, this is better than static restrictions like AppArmor and the likes, because those apply to the entire lifespan of the process.

And it’s much easier to use than something like chroot. OpenBSD’s pledge and unveil are particularly easy to use, making it feasible to use them in almost any program (not just the ones that you might consider “security critical”):

- https://why-openbsd.rocks/fact/pledge/
- https://why-openbsd.rocks/fact/unveil/

Even something like cal (that thing that prints a calendar) uses pledge in OpenBSD: https://github.com/openbsd/src/blob/master/usr.bin/cal/cal.c#L153
movq
www.uninformativ.de
View Thread
@prologic It’s a way for a process to lock itself down.

One common pattern would be this: Early during startup, a process reads some configuration files. Once done, it can lock itself down and tell the kernel that it won’t need any further filesystem access at all (or only access to certain paths). If the process gets hacked later on, the attacker won’t be able to read files.

As I understand it, this is better than static restrictions like AppArmor and the likes, because those apply to the entire lifespan of the process.

And it’s much easier to use than something like chroot. OpenBSD’s pledge and unveil are particularly easy to use, making it feasible to use them in almost any program (not just the ones that you might consider “security critical”):

- https://why-openbsd.rocks/fact/pledge/
- https://why-openbsd.rocks/fact/unveil/

Even something like cal (that thing that prints a calendar) uses pledge in OpenBSD: https://github.com/openbsd/src/blob/master/usr.bin/cal/cal.c#L153
prologic
twtxt.net
View Thread
@movq Don't we already have containers though? Linux cgroups alert find toy a level of isolation that is already pretty starting?
prologic
twtxt.net
View Thread
@movq Don't we already have containers though? Linux cgroups alert find toy a level of isolation that is already pretty starting?
movq
www.uninformativ.de
View Thread
@prologic First, yes, Linux has many features in that area and that’s not a great situation as it complicates everything. 🫤

The two key advantages of landlock (or pledge/unveil) would be: a) Much easier to use / more lightweight, b) usable by non-root users.

Been a while since I watched it, I think this talk by one of the OpenBSD devs was pretty good: https://www.youtube.com/watch?v=gvmGfpMgny4
movq
www.uninformativ.de
View Thread
@prologic First, yes, Linux has many features in that area and that’s not a great situation as it complicates everything. 🫤

The two key advantages of landlock (or pledge/unveil) would be: a) Much easier to use / more lightweight, b) usable by non-root users.

Been a while since I watched it, I think this talk by one of the OpenBSD devs was pretty good: https://www.youtube.com/watch?v=gvmGfpMgny4
movq
www.uninformativ.de
View Thread
@prologic First, yes, Linux has many features in that area and that’s not a great situation as it complicates everything. 🫤

The two key advantages of landlock (or pledge/unveil) would be: a) Much easier to use / more lightweight, b) usable by non-root users.

Been a while since I watched it, I think this talk by one of the OpenBSD devs was pretty good: https://www.youtube.com/watch?v=gvmGfpMgny4
movq
www.uninformativ.de
View Thread
@prologic First, yes, Linux has many features in that area and that’s not a great situation as it complicates everything. 🫤

The two key advantages of landlock (or pledge/unveil) would be: a) Much easier to use / more lightweight, b) usable by non-root users.

Been a while since I watched it, I think this talk by one of the OpenBSD devs was pretty good: https://www.youtube.com/watch?v=gvmGfpMgny4