feld (feld@bikeshed.party)'s status on Sunday, 24-Mar-2024 05:39:05 JST
-
Embed this notice
@yuki2501 @ryan_harg @fasnix In FreeBSD world I guess you might be able to make a kernel module using the MAC framework to intercept these requests and then hook in to call something like how pinentry for gpg can open a dialog in a graphical interface or in the shell for approving or denying access, and the application would be blocked until you respond. It would then have to retain a database of applications you've granted access to but how do you determine which applications should be forced through this? You obviously can't do it for everything.
Maybe utilities/programs that should always have access are allowed because of some extended filesystem attribute? (Here we go getting weird again, not every fs with an executable is going to support extended attributes in Linux/BSD land) And who decides that anyway?
I have no idea how you'd do this cleanly in Linux. I guess you'd have to provide implementations for both SELinux and AppArmor as they'd be hooked in the appropriate places? Gross