Hey folks, Late night clicking-while-drooling, I came across something a few minutes ago that mildly piqued my interest -- mbox <http://pdos.csail.mit.edu/mbox/>. It's a sandbox that uses a combination of ptrace and seccomp bpf; neither ours nor exherbo's uses both of these together. The killer feature, for us, that's motivating me to write to this list, is that it creates a "shadow file system", and then has the option to commit the changes of that file system to the real file system, piece by piece, when the process is done. It made me think of some discussions we had at FOSDEM about Portage evolution and whatnot. I haven't looked at this tool past an initial glance, but it does look like interesting food for thought.
Jason -- Jason A. Donenfeld Gentoo Linux Security & Infrastructure zx...@gentoo.org www.zx2c4.com