n0tooseI'd like to share something nice that I am currently working on: A Landlock integration for Forgejo.
Landlock (https://landlock.io) lets userspace processes tell the kernel "hey kernel, please only let me access the following filesystem resources" (and it also supports sockets, etc. now).
My integration only limits unfettered access to arbitrary files. It needs a lot more yak shaving (refactoring, configurations, using the PATH variable for Git binaries) and time.
Aho