Landlock shines when an application has a predictable set of files or directories it needs. For example, a web server could restrict itself to accessing only /var/www/html and /tmp.

The author reminds Linux has security issues on most major distributions and each tools trying to improve the state of securit on Linux has drawbacks: Containerization, Flatpak, Firejail, seccomp, SELinux, AppArmor and Landlock.

Landlock fills a major gap: a simple, self-cotnained unprivileged sandboxing tool.

Read more on the landlock.io

A script

Hacker news thread: https://news.ycombinator.com/item?id=46092338

(via https://shaarli.zoemp.be/shaare/xtCl-Q)

How to serve typescript file?

Using a proxy mounted on a route that did a passthrough to a vite front-end app And in production we switched out that proxy for a StaticDir.

I use vite. In development vite dev server proxies requests to (axum) backend, for production vite compiles the frontend bits into a bundle that can be served by axum in a specific route. I'm sure ServeDir would work with this setup, but I actually include the bundle in my executable with a small macro which makes deployments stupid simple.