mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-02-07 15:03:34 +00:00
e81edf7b04
The pledge.com command now supports the new [WIP] unveil() support. For
example, to strongly sandbox our command for listing directories.
o//tool/build/assimilate.com o//examples/ls.com
pledge.com -v /etc -p 'stdio rpath' o//examples/ls.com /etc
This file system sandboxing is going to be perfect for us, because APE
binaries are self-contained static executables that really don't use the
filesystem that much. On the other hand, with non-static executables,
sandboxing is going to be more difficult. For example, here's how to
sandbox the `ls` command on the latest Alpine:
pledge.com -v rx:/lib -v /usr/lib -v /etc -p 'stdio rpath exec' ls /etc
This change fixes the `execpromises` API with pledge().
This change also adds unix.unveil() to redbean.
Fixes #494
|
||
|---|---|---|
| .. | ||
| demo | ||
| tiny | ||
| .init.lua | ||
| counters.inc | ||
| dig.c | ||
| echo.c | ||
| favicon.ico | ||
| help.txt | ||
| largon2.c | ||
| lfinger.c | ||
| lfinger.h | ||
| lfuncs.c | ||
| lfuncs.h | ||
| ljson.c | ||
| ljson.h | ||
| lmaxmind.c | ||
| lre.c | ||
| lsqlite3.c | ||
| luacheck.h | ||
| net.mk | ||
| redbean.c | ||
| redbean.png | ||
| sandbox.h | ||
| wb.c | ||
