For sandboxing: Do what nautilus does and use something like bwrap ('bubblewrap') to stuff it in a micro-container with no access to anything but OS library paths and a tempdir for input and output files. It works similarly to apple's "blastdoor" setup.
Optionally, use something like apparmor/selinux on top of that, as you can define 'child' policies under a parent policy that are far more restrictive than generic policies for them can be. (I have no idea as to the actual terms for this, I just know it's possible from looking at CUPS. This would require some shenanigans/effort to pull off, however)
Emelia/Emi
npub18a…7pj7v
2025-03-05 01:22:38 UTC
in reply to nevent1q…5h47
Author Public Key
npub18awg073vadjxw7vst9v3dduvxjulc7x7jjyskvqkjfa99xn28zdqj7pj7vSeen on
wss://relay.momostr.pinkPublished at
2025-03-05 01:22:38 UTCEvent JSON
{
"id": "c3e9ca0efeb5f281b41e0074d278af8342eaf670fe69d9293417763c1a8dabff",
"pubkey": "3f5c87fa2ceb64677990595916b78c34b9fc78de94890b3016927a529a6a389a",
"created_at": 1741137758,
"kind": 1,
"tags": [
[
"p",
"4014f060ca2d2c1ededbca93ba6100f82d96b0bcadba56a82f0ecc9ab1d468c0"
],
[
"e",
"1a9a11bcb8292758442e425741b936529d8bb840900953e33d4aedb7b53c04e6",
"",
"reply",
"4014f060ca2d2c1ededbca93ba6100f82d96b0bcadba56a82f0ecc9ab1d468c0"
],
[
"e",
"65c2ab932b24ad388ebc7853cf37645c462438cf8289ff33bb25d7198323509f",
"",
"root",
"4014f060ca2d2c1ededbca93ba6100f82d96b0bcadba56a82f0ecc9ab1d468c0"
],
[
"proxy",
"https://tech.lgbt/@becomethewaifu/114107204147503860",
"web"
],
[
"proxy",
"https://tech.lgbt/users/becomethewaifu/statuses/114107204147503860",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://tech.lgbt/users/becomethewaifu/statuses/114107204147503860",
"pink.momostr"
],
[
"-"
]
],
"content": "For sandboxing: Do what nautilus does and use something like bwrap ('bubblewrap') to stuff it in a micro-container with no access to anything but OS library paths and a tempdir for input and output files. It works similarly to apple's \"blastdoor\" setup.\n\nOptionally, use something like apparmor/selinux on top of that, as you can define 'child' policies under a parent policy that are far more restrictive than generic policies for them can be. (I have no idea as to the actual terms for this, I just know it's possible from looking at CUPS. This would require some shenanigans/effort to pull off, however)",
"sig": "76107cbfd402a8f7171b88282b2b923d79fb2d379cf30d55177ac1a1ee016434afa205e384790b6901746cba0c2b17f3ea7cb088b2d723fc704726f0be1ae8c6"
}