ObjFW  View Ticket

Ticket UUID: a550bff2f89212af12be7cffdced2c8a59f5e75c
Title: Generalize API for OFSandbox
Status: Open Type: Enhancement
Severity: Important Priority: Medium
Subsystem: Resolution: Open
Last Modified: 2021-10-24 10:48:29
Version Found In: Milestone: none
User Comments:
js added on 2020-12-22 13:05:46:

OFSandbox currently maps more or less 1:1 to OpenBSD's pledge()and unveil(). While those are great APIs that are easy to adopt for applications, it's unclear whether the current OFSandbox could be adopted to other sandboxing frameworks like seccomp-bpf or Capsicum.


js added on 2020-12-22 13:18:13:

OFSandbox is private in 1.0 for now ([510628432f]) until this gets solved.


js added on 2021-10-24 10:48:29:

Landlock landed in Linux 5.13, which works similarly to pledge() / unveil(). Implementing OFSandbox with Landlock will probably be a good sanity check on whether the API is generic enough.