compiler-explorer
bubblewrap
compiler-explorer | bubblewrap | |
---|---|---|
210 | 77 | |
16,837 | 4,044 | |
1.9% | 1.4% | |
9.8 | 7.6 | |
about 15 hours ago | 3 months ago | |
TypeScript | C | |
BSD 2-clause "Simplified" License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
compiler-explorer
-
Sonos CEO Patrick Spence steps down after app update debacle
I have, it's called Visual Studio Code and I ditched my old native editor(s) for it.
I'd even suggest that the fact that it's JS based has significantly changed the tech world because the editor itself will run in a browser so it's here https://godbolt.org/ , and here https://codesandbox.io, and here https://www.postman.com/, and here https://aws.amazon.com/pm/cloud9/ and 100s or 1000s of other sites.
-
What Did Ada Lovelace's Program Actually Do? (2018)
I'm told the story of Godbolt[0] is similar.
I think that he has an ID here, so we could probably ask him. It's a very good tool.
[0] https://godbolt.org
- Learn Rust the Dangerous Way
- Compiler Explorer
-
Improve an algorithm performance step by step
The GodBolt compiler explorer is also useful for comparing the assembly function code between C++ and Rust.
-
std::array in C++ isn't slower than array in C
Using several operations as examples, let's see what assembler the compiler can get. We're using the latest Clang for the x86-64 platform available on Compiler Explorer.
-
Google's New Pipe Syntax in SQL
it is also pretty good at decompiling - try feeding the output of https://godbolt.org/ back to an LLM
-
Initial details about why the CrowdStrike's CSAgent.sys crashed
As a very first step, you may start playing with https://godbolt.org/ to see how code is translated into lower-level instructions.
bubblewrap
-
HardenedBSD Feature Comparison with OpenBSD, FreeBSD, NetBSD
> Not requiring the cooperation of developers to opt-in, for starters.
True, meaningful in the general case, and completely irrelevant in this particular case, which started with specifically the question of OpenBSD applying the protection in question to its own base system. I actually agree that being able to externally impose a sandbox is super useful, but self-imposed restrictions are perfectly applicable in this usecase.
> You really think pledge and unveil are equivalent to sandboxing? Can you refer to any sandboxing solution or technologies that limit themselves to restricting syscalls and hiding file paths? Unveil is a lot more useful as a component in sandboxing, I'll give you that.
I think that pledge and unveil are a type of sandboxing, certainly. And... I'm struggling to think of any sandboxing tech that does anything but limit syscalls and filesystem access. After rereading https://github.com/containers/bubblewrap?tab=readme-ov-file#... a bit, I suppose there's a case for being able to change what a sandboxed process can see rather than only masking (ex. PID 1 is a different process inside and outside the sandbox), but that strikes me as a slight variation rather than a fundamental difference in what is or isn't a "sandbox" per se. Likewise, I could see an argument that OpenBSD's approach is coarser than it could be; ex. I think you could restrict a Linux process to keep your real user and be able to read files but not write them even though they're owned by your user and are 644, but that's more of a convenience thing than a true fundamental difference - an OpenBSD process could open files in read mode, keep the socket open, and then pledge away open() altogether which gives you the same outcome with more legwork.
-
Docker, Linux, Security. Kinda.
As an example we will look at man 1 bwrap. Bubblewrap allows us to sandbox an application, not too dissimilar to docker. Flatpaks use bubblewrap as part of their sandbox. Bubblewrap can optionally take in a list of syscalls to filter. The filter is expressed as a BPF(Berkley Packet Filter program - remember when I said docker gives you a friendlier interface to seccomp?) program. Below is a short program that defines a BPF program that can be passed to an application using bwrap that lets us log all the sycalls the application makes to syslog.
-
I Use Nix on macOS
Nothing nix specific but you may be interested in https://github.com/containers/bubblewrap
- I reduced the size of my Docker image by 40% – Dockerizing shell scripts
- Exploring Podman: A More Secure Docker Alternative
-
Using GitLab Kubernetes Runners to Build Melange Packages
Recently, I came across Chainguard and wrote the article How to build Docker Images with Melange and Apko. As a fervent supporter of Kubernetes and GitLab CI, I was eager to experiment with building images using Melange in this particular setup. GitLab's shared Runners work seamlessly with Bubblewrap, eliminating the need for additional configurations. This post is intended for enthusiasts like myself, interested in hosting their own Kubernetes Runners and leveraging the Kubernetes Runner Type of Melange.
- how strong is the steam (runtime) sandbox for games?
- Server-side sandboxing: Containers and seccomp
-
A Study of Malicious Code in PyPI Ecosystem
```
This is basically manually invoking what Flatpak does:
https://github.com/containers/bubblewrap
This is also useful for more than just security. E.G., you can test how your app would behave on a fresh install by masking your user configuration files. I personally also have a tool that uses it to basically bundle all dependencies from an entire Linux distribution in order to make highly portable AppImages— Been meaning to post that, will get around to it eventually maybe.
The flags above should hide your user data (`--tmpfs`), disable network access (`--unshare-all`), hide/virtualize devices and OS state (`--dev` and `--proc`), and make the rest of the root filesystem read-only (`--ro-bind`— Including the insecure X11 socket in `/tmp`, which you might want to expose for GUI apps).
Check them against `bwrap --help`; I might have omitted one or two more things you'd need.
- Bubblewrap – Low-level unprivileged sandboxing tool used by Flatpak
What are some alternatives?
{fmt} - A modern formatting library
firejail - Linux namespaces and seccomp-bpf sandbox
format-benchmark - A collection of formatting benchmarks
flatpak - Linux application sandboxing and distribution framework
rust - Empowering everyone to build reliable and efficient software.
nsjail - A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
papers - ISO/IEC JTC1 SC22 WG21 paper scheduling and management
flathub - Issue tracker and new submissions
rustc_codegen_gcc - libgccjit AOT codegen for rustc
distrobox - Use any linux distribution inside your terminal. Enable both backward and forward compatibility with software and freedom to use whatever distribution you’re more comfortable with. Mirror available at: https://gitlab.com/89luca89/distrobox
arewefastyet - arewefastyet.rs - benchmarking the Rust compiler
multipass - Multipass orchestrates virtual Ubuntu instances