Re: sandboxing,of upstream programs by distros
Open Source Security
Posted by Bob Friesenhahn on Oct 22
Looking at the 5 rules you posted, my concern is addressed by rule #2
(I/O resources opened in advance).
This request seems the most challenging to satisfy.
A different I/O interface module would need to be developed to support
the possibility of opening an output descriptor in advance.
If one looks at ImageMagick, VIPS, GraphicsMagick, etc., one will
quickly see that those implementations optionally depend on tens of