Le 26/02/2026 à 19:04, Kevin Chadwick via Dng a écrit :
>
> -------- Original Message --------
>
>>     Thanks for the link. The tool is to run securely an untrusted, buggy, or
>> exploitable binary. I'm not sure this is something I need.
> I'm not sure how you got that impression

    Maybe I overlooked, but it seemd to me that the web page was about
running an application which sandboxes another one. This is something
relatively straightforward: all sandboxing mechanisms, to be efficient,
apply also to any other programs executed by the first one. I was rather
interested in a library this first program uses to sandbox itself.

>
> My concern is rather
>> to secure the programs I write, and to make security obvious to people who
>> possibly review the source.
>>
> That is how Pledge is designed but it does need kernel or libc support on Linux
> by the looks of it.
>
> https://github.com/jart/pledge
    It is written in the first page that it uses Seccomp to implement
this Pledge-like API.
>
>>     By reading a little more, it seems to me that Pledge isn't really fine-grained.
> Looks like it's using seccomp and landlock to provide the same API of OpenBSDs
> pledge that is designed to be easy for a Unix user to work with (Unix syscall
> knowledge etc.).

    The main argument in favor of Pledge is the simplicity of the API.
It seems to me that it is simple in part because it is less fine-grained
than Seccomp. Maybe a Pledge-like API may use Landlock also, but
Landlock isn't enough. Needing two mechanisms, and so different of each
other, brings in too much complexity for my taste. I have absolutely no
authority to judge, but I don't like very much the way Seccomp is
implemented. it would be OK for something experimental because no
dedicated syscall is needed, but it is still like this after years.
Capabilitues and Landlock instead seem to be properly integrated into
the kernel.

--     Didier