The two key advantages of landlock (or pledge/unveil) would be: a) Much easier to use / more lightweight, b) usable by non-root users.
Been a while since I watched it, I think this talk by one of the OpenBSD devs was pretty good: https://www.youtube.com/watch?v=gvmGfpMgny4
The two key advantages of landlock (or pledge/unveil) would be: a) Much easier to use / more lightweight, b) usable by non-root users.
Been a while since I watched it, I think this talk by one of the OpenBSD devs was pretty good: https://www.youtube.com/watch?v=gvmGfpMgny4
The two key advantages of landlock (or pledge/unveil) would be: a) Much easier to use / more lightweight, b) usable by non-root users.
Been a while since I watched it, I think this talk by one of the OpenBSD devs was pretty good: https://www.youtube.com/watch?v=gvmGfpMgny4
The two key advantages of landlock (or pledge/unveil) would be: a) Much easier to use / more lightweight, b) usable by non-root users.
Been a while since I watched it, I think this talk by one of the OpenBSD devs was pretty good: https://www.youtube.com/watch?v=gvmGfpMgny4
- ✅ Laundry.
- ✅ Dishes.
- ✅ Killed the alien queen in Duke 3D.
- ✅ Taxes.
- ✅ Laundry.
- ✅ Dishes.
- ✅ Killed the alien queen in Duke 3D.
- ✅ Taxes.
- ✅ Laundry.
- ✅ Dishes.
- ✅ Killed the alien queen in Duke 3D.
- ✅ Taxes.
- ✅ Laundry.
- ✅ Dishes.
- ✅ Killed the alien queen in Duke 3D.
- ✅ Taxes.
One common pattern would be this: Early during startup, a process reads some configuration files. Once done, it can lock itself down and tell the kernel that it won’t need any further filesystem access at all (or only access to certain paths). If the process gets hacked later on, the attacker won’t be able to read files.
As I understand it, this is better than static restrictions like AppArmor and the likes, because those apply to the entire lifespan of the process.
And it’s much easier to use than something like chroot. OpenBSD’s
pledge and unveil are particularly easy to use, making it feasible to use them in almost any program (not just the ones that you might consider “security critical”):- https://why-openbsd.rocks/fact/pledge/
- https://why-openbsd.rocks/fact/unveil/
Even something like
cal (that thing that prints a calendar) uses pledge in OpenBSD: https://github.com/openbsd/src/blob/master/usr.bin/cal/cal.c#L153
One common pattern would be this: Early during startup, a process reads some configuration files. Once done, it can lock itself down and tell the kernel that it won’t need any further filesystem access at all (or only access to certain paths). If the process gets hacked later on, the attacker won’t be able to read files.
As I understand it, this is better than static restrictions like AppArmor and the likes, because those apply to the entire lifespan of the process.
And it’s much easier to use than something like chroot. OpenBSD’s
pledge and unveil are particularly easy to use, making it feasible to use them in almost any program (not just the ones that you might consider “security critical”):- https://why-openbsd.rocks/fact/pledge/
- https://why-openbsd.rocks/fact/unveil/
Even something like
cal (that thing that prints a calendar) uses pledge in OpenBSD: https://github.com/openbsd/src/blob/master/usr.bin/cal/cal.c#L153
One common pattern would be this: Early during startup, a process reads some configuration files. Once done, it can lock itself down and tell the kernel that it won’t need any further filesystem access at all (or only access to certain paths). If the process gets hacked later on, the attacker won’t be able to read files.
As I understand it, this is better than static restrictions like AppArmor and the likes, because those apply to the entire lifespan of the process.
And it’s much easier to use than something like chroot. OpenBSD’s
pledge and unveil are particularly easy to use, making it feasible to use them in almost any program (not just the ones that you might consider “security critical”):- https://why-openbsd.rocks/fact/pledge/
- https://why-openbsd.rocks/fact/unveil/
Even something like
cal (that thing that prints a calendar) uses pledge in OpenBSD: https://github.com/openbsd/src/blob/master/usr.bin/cal/cal.c#L153
One common pattern would be this: Early during startup, a process reads some configuration files. Once done, it can lock itself down and tell the kernel that it won’t need any further filesystem access at all (or only access to certain paths). If the process gets hacked later on, the attacker won’t be able to read files.
As I understand it, this is better than static restrictions like AppArmor and the likes, because those apply to the entire lifespan of the process.
And it’s much easier to use than something like chroot. OpenBSD’s
pledge and unveil are particularly easy to use, making it feasible to use them in almost any program (not just the ones that you might consider “security critical”):- https://why-openbsd.rocks/fact/pledge/
- https://why-openbsd.rocks/fact/unveil/
Even something like
cal (that thing that prints a calendar) uses pledge in OpenBSD: https://github.com/openbsd/src/blob/master/usr.bin/cal/cal.c#L153
walked about 3/4 mile and then started c/d run. felt strong so endurance is in a great spot!
#running
walked about 3/4 mile and then started c/d run. felt strong so endurance is in a great spot!
#running
walked about 3/4 mile and then started c/d run. felt strong so endurance is in a great spot!
#running
after the warm-up the humidity hit me and i realized i was drenched and i could not stop sweating. it was going to be rough, and it was. kept a pretty steady pace which was great... and around 0.70 miles i upchucked in my mouth a bit, which was oh so great, so i eased off the gas towards the end. overall very happy with the effort since normally i do this in the cooler and drier conditions. in addition i have not been doing much speed work so this is great.
76.2F feels like 84.6F with 93% RH and 73.7F dew point
#running
after the warm-up the humidity hit me and i realized i was drenched and i could not stop sweating. it was going to be rough, and it was. kept a pretty steady pace which was great... and around 0.70 miles i upchucked in my mouth a bit, which was oh so great, so i eased off the gas towards the end. overall very happy with the effort since normally i do this in the cooler and drier conditions. in addition i have not been doing much speed work so this is great.
76.2F feels like 84.6F with 93% RH and 73.7F dew point
#running
after the warm-up the humidity hit me and i realized i was drenched and i could not stop sweating. it was going to be rough, and it was. kept a pretty steady pace which was great... and around 0.70 miles i upchucked in my mouth a bit, which was oh so great, so i eased off the gas towards the end. overall very happy with the effort since normally i do this in the cooler and drier conditions. in addition i have not been doing much speed work so this is great.
76.2F feels like 84.6F with 93% RH and 73.7F dew point
#running
included some strides and felt pretty strong
#running
included some strides and felt pretty strong
#running
included some strides and felt pretty strong
#running
The second one hit us right in the face. The sky was constantly flashing and there was a continuous rumble, not individual thunder. (You can’t really hear it in the video, I was too close to the window …)
https://movq.de/v/e949ae6403/MVI_7687.MOV.mp4
Most of the lightning was inside the clouds, apparently.
https://movq.de/v/e949ae6403/IMG_7648.JPG
No water damage this time, luckily.
The second one hit us right in the face. The sky was constantly flashing and there was a continuous rumble, not individual thunder. (You can’t really hear it in the video, I was too close to the window …)
https://movq.de/v/e949ae6403/MVI_7687.MOV.mp4
Most of the lightning was inside the clouds, apparently.
https://movq.de/v/e949ae6403/IMG_7648.JPG
No water damage this time, luckily.
The second one hit us right in the face. The sky was constantly flashing and there was a continuous rumble, not individual thunder. (You can’t really hear it in the video, I was too close to the window …)
https://movq.de/v/e949ae6403/MVI_7687.MOV.mp4
Most of the lightning was inside the clouds, apparently.
https://movq.de/v/e949ae6403/IMG_7648.JPG
No water damage this time, luckily.
The second one hit us right in the face. The sky was constantly flashing and there was a continuous rumble, not individual thunder. (You can’t really hear it in the video, I was too close to the window …)
https://movq.de/v/e949ae6403/MVI_7687.MOV.mp4
Most of the lightning was inside the clouds, apparently.
https://movq.de/v/e949ae6403/IMG_7648.JPG
No water damage this time, luckily.
Texto cinzento em fundo branco: I know, I know, I know, I know, I know, I know, I know, I know, I know, I know, I know, I know, I know, I know
Texto cinzento em fundo branco: I know, I know, I know, I know, I know, I know, I know, I know, I know, I know, I know, I know, I know, I know
It's itching everywhere, mozzies ate me alive.
- https://chromewebstore.google.com/search/Redirector
- https://libredirect.github.io/
- https://requestly.com/products/web-debugger/
- https://chromewebstore.google.com/search/Redirector
- https://libredirect.github.io/
- https://requestly.com/products/web-debugger/
- https://chromewebstore.google.com/search/Redirector
- https://libredirect.github.io/
- https://requestly.com/products/web-debugger/
- https://chromewebstore.google.com/search/Redirector
- https://libredirect.github.io/
- https://requestly.com/products/web-debugger/
/https://baldo.cat/media/photos/photo_18329-06-2024_15-42-45.jpg) #catsoftwtxt
#catsoftwtxt
#catsoftwtxt
#catsoftwtxt
/https://baldo.cat/media/photos/photo_17929-06-2024_15-40-00.jpg) #catsoftwtxt