Why would it use `chroot`? Combined with a sandboxing facility, like Capsicum, y... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nesarkvechnep 10 months ago \| parent \| context \| favorite \| on: Go 1.24 Is Released Why would it use `chroot`? Combined with a sandboxing facility, like Capsicum, you can open a directory before entering capability mode and later, you use `os.Root` to open files in the file system tree under the opened directory.

Hixon10 10 months ago [–]

> Why would it use `chroot`?

I am not sure, is this custom Os.Root implementation good enough to relay on it? I see that it is based on openat, and validation of paths/symlinks. But should we expect CVEs, which will break this protection layer?

nesarkvechnep 10 months ago | [–]

Let me get my crystal ball.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact