I like the Mac OS X sandbox API.
> int sandbox_init(const char *profile, uint64_t flags, > char **errorbuf); > > void sandbox_free_error(char *errorbuf); > > Profiles: > kSBXProfileNoInternet TCP/IP networking is prohibited. > kSBXProfileNoNetwork All sockets-based networking is > prohibited. > > kSBXProfileNoWrite File system writes are prohibited. > > kSBXProfileNoWriteExceptTemporary File system writes are > restricted to the temporary folder > /var/tmp and the folder specified by the > confstr(3) configuration variable > _CS_DARWIN_USER_TEMP_DIR. > kSBXProfilePureComputation All operating system > services are prohibited.This is the kind of API that userspace should have. Whether or not the mechanism is the LSM, selinux, ftrace, perf, or whatever really isn't the important issue.
The Google Chrome team managed to implement something resembling this sandbox for WebKit using seccomp, a helper thread, a helper process, and some IPC mechanisms. But seriously, why is it that hard for userspace applications to give up some capabilities?
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds