ObjFW  View Ticket

2021-10-24
10:48 Ticket [a550bff2f8] Generalize API for OFSandbox status still Open with 3 other changes artifact: af9f9c5d74 user: js
2020-12-22
13:18 Ticket [a550bff2f8]: 4 changes artifact: f6a083f883 user: js
13:05 New ticket [a550bff2f8]. artifact: 62f8f4bd0f user: js

Ticket UUID: a550bff2f89212af12be7cffdced2c8a59f5e75c
Title: Generalize API for OFSandbox
Status: Open Type: Enhancement
Severity: Important Priority: Medium
Subsystem: Resolution: Open
Last Modified: 2021-10-24 10:48:29
Version Found In: Milestone: none
User Comments:
js added on 2020-12-22 13:05:46:

OFSandbox currently maps more or less 1:1 to OpenBSD's pledge()and unveil(). While those are great APIs that are easy to adopt for applications, it's unclear whether the current OFSandbox could be adopted to other sandboxing frameworks like seccomp-bpf or Capsicum.


js added on 2020-12-22 13:18:13:

OFSandbox is private in 1.0 for now ([510628432f]) until this gets solved.


js added on 2021-10-24 10:48:29:

Landlock landed in Linux 5.13, which works similarly to pledge() / unveil(). Implementing OFSandbox with Landlock will probably be a good sanity check on whether the API is generic enough.