@xameerHoldMyType I think the list furthers
#Emacs incorporating seccomp for process isolation on capable GNU/Linux systems, while FreeBSD has its own sandboxing mechanism called Capsicum
> Process Isolation (OS-level) separates processes' memory/resources for stability; chroot (filesystem-level) changes a process's root directory for simple file access restriction (weak security); while Sandboxing (application/security-focused) uses stronger kernel features (containers, VMs, or specialized tools)
#virtualization
@xameerHoldMyType contd go without user namespace isolation to build app in Rootless container like #podman you need dynamically alloc builder uids and with it as root ( rarely with it) , without sandbox , app #testing
i ll do that on #nixos , how ll you do it onother #Linux
do you every use `sysctl -w kernel.unprivileged_userns_clone=1`?
#reliability. #devops
If you have a fediverse account, you can quote this note from your own instance. Search https://mathstodon.xyz/users/xameer/statuses/115821980245872722 on your instance and quote it. (Note that quoting is not supported in Mastodon.)