Ticket UUID: | a550bff2f89212af12be7cffdced2c8a59f5e75c | |||
Title: | Generalize API for OFSandbox | |||
Status: | Open | Type: | Enhancement | |
Severity: | Important | Priority: | Medium | |
Subsystem: | Resolution: | Open | ||
Last Modified: | 2021-10-24 10:48:29 | |||
Version Found In: | Milestone: | none | ||
User Comments: | ||||
js added on 2020-12-22 13:05:46:
(text/x-markdown)
`OFSandbox` currently maps more or less 1:1 to OpenBSD's `pledge() `and `unveil()`. While those are great APIs that are easy to adopt for applications, it's unclear whether the current `OFSandbox` could be adopted to other sandboxing frameworks like seccomp-bpf or Capsicum. js added on 2020-12-22 13:18:13: (text/x-markdown) `OFSandbox` is private in 1.0 for now ([](510628432f)) until this gets solved. js added on 2021-10-24 10:48:29: (text/x-markdown) Landlock landed in Linux 5.13, which works similarly to pledge() / unveil(). Implementing OFSandbox with Landlock will probably be a good sanity check on whether the API is generic enough. |