Le 25/02/2026 à 08:40, sawbona@??? a écrit :
>> This is built into the program with the help of the kernel, but
>> under program control and without any mysterious external
>> mechanism.
> Indeed ...
> "... without any mysterious external mechanism." is*the* deal
> breaker there.

    The deal broker is a kernel module; your kernel is built with it
most probably. At least it is on Devuan. Security relies on the kernel.
It is the kernel which decides if a program can access a file or perform
some system-calls.

    Any program can call open(), read(), write(), connect(), which are
system-calls. But the kernel verifies that the access mode is allowed,
based on the properties of the file or the port number. It has been like
this since the advent of Unix. Any user program can write or delete
files in the user's home, at least; and programs running with root
permissions can do it everywhere. The first case is dangerous for the
user and the second for the whole system.

     With Landlock or Pledge, a program can ask the kernel to restrict
its own permissions beyond the classical read/write/execute. The role of
the kernel is to prevent the program to trespass the limits it has
established itself. Because, once enforced by the program, these
restrictions are irrevocable. Therefore the program establishes the
restrictions at the beginning and then does what it is made for. It is
the programmer's job to fit the restrictions with what the program is
made for.

    With Pledge or Linux-capabilities, the restrictions are on
system-calls; with Landlock, they are on system objects like files,
directories, network ports, signals; and the restrictions on files and
directories are much more fine-grained than the basic read/write/execute
permissions. It is likely that Pledge is better fitted for some cases
and Landlock for others. Dunno if they can be used together.

--     Didier