Replies: 1 comment 2 replies
-
|
Hey @rgwood, you could specify a manifest with no capabilities to limit the access of arbitrary executables to the access that AppContainers are granted by default. We don't currently support a sandbox more restrictive than that. |
Beta Was this translation helpful? Give feedback.
-
|
Am I correct in understanding that that would require taking the executable, packaging it via MSIX, and installing the package? That could work but it would be orders of magnitude more hassle than a tool like |
Beta Was this translation helpful? Give feedback.
-
|
Yes, that's correct, this would require packaging. We'll get the request for a command line tool added to our backlog. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Right now, this project seems focused on letting developers opt in to MSIX-dependent sandboxing for their own applications. I would like to use the sandbox in a different way: to restrict what arbitrary executables can do.
On Linux, Justine Tunney's BSD-inspired
pledgetool is extremely useful; it can be used to launch arbitrary executables inside a sandbox. For example, if you want to runlsand only permit it to do basic stdio (-p stdio) and filesystem path (-p rpath) reading in the current directory (-v .), then you'd say:It would be super useful to have something similar on Windows. I would use it for things like:
Beta Was this translation helpful? Give feedback.
All reactions