Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 9:24 UTC (Fri) by farnz (subscriber, #17727)
In reply to: Unprivileged BPF and authoritative security hooks by developer122
Parent article: Unprivileged BPF and authoritative security hooks

Even though I am the only user of my laptop, I have multiple Linux users on it with different permissions; they provide a form of sandboxing between tasks for me, so that (for example) I can run a build as a user that can only pull from my local git repo, and cannot read my files otherwise, nor is it permitted network access. This, in turn, helps me catch stupid mistakes before I trigger CI - forgetting to git add a new file is one of my favourite tricks.

I was inspired to do this by Android, which uses a similar trick for isolation between applications.