A quick look at unprivileged sandboxing
10 months ago
- #Linux
- #syscalls
- #sandboxing
- The article discusses methods to confine a server daemon to a single directory without requiring root privileges.
- OpenBSD's `unveil()` and `pledge()` syscalls are highlighted for their simplicity in restricting filesystem access and syscalls.
- Linux's Landlock is presented as a more complex alternative to `unveil()`, requiring a detailed setup but offering similar confinement capabilities.
- The `setpriv` command from util-linux is mentioned for applying Landlock rules via the command line, though it confines the entire program.
- A detailed example using Linux namespaces and mounts demonstrates a more involved method to achieve directory confinement, similar to Bubblewrap's approach.
- The article concludes by advocating for simpler, more accessible sandboxing tools like `unveil()` and `pledge()` to encourage widespread adoption and correctness.