Couldn't or shouldn't each parser be run in a container with systemd-nspawn or L... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		westurner on Sept 18, 2024 \| parent \| context \| favorite \| on: Rga: Ripgrep, but also search in PDFs, E-Books, Of... Couldn't or shouldn't each parser be run in a container with systemd-nspawn or LXC or another container runtime? (Even if all it's doing is reading a file format into process space as NX data not code as the current user)

westurner on Sept 18, 2024 [–]

NX bit: https://en.wikipedia.org/wiki/NX_bit

Executable-space protection > Limitations mentions JITs and ROP: https://en.wikipedia.org/wiki/Executable-space_protection

mprotect(), VirtualAlloc[Ex] and VirtualProtect[Ex],

"NX bit: does it protect the stack?" https://security.stackexchange.com/questions/47807/nx-bit-do...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact