I believe in sandboxing, I hope it gets better and easier to use.
I work on several C programs. I wish for the day when we have an easy to use, cross platform method of setting up a small set of open files at the start of a program, then be able to say "No more file access, no more network connections".
I know this hides a whole bunch of complication, which is why it's hard and why there are so many ways to do it -- I view it the same way as the move to distinct virtual memory spaces for each process. Once we have it we'll wonder why we ever allowed every program free access to the whole file system for it's entire life-span by default.
That is one thing I've looked at, and it looks great.
Hopefully someone (and it won't be me :) ) will write a library which looks like pledge but wraps all the various things in different OSses (I hear words like seccomp on linux)
on linux the low-level building blocks that can achieve similar are seccomp and namespaces, but the only abstractions that I am aware of involve separate launcher processes like runc[0] or firejail[1].
A library providing similar functionality to pledge that could be added during application startup or when doing fork+exec would be great.
"Better", but similar, would be to move to OS with the Object Capability model. Applications don't get access-by-default with security bolted on afterward, they get access to the objects they're initially granted and no way whatsoever to access anything beyond that.
Sadly that's a huge change in programming and security model for most and wouldn't be an easy change to make.
CloudABI https://nuxi.nl/cloudabi/ lets you run capability based apps side by side with traditional full POSIX apps on your OS. Out of the box on FreeBSD, patches exist for Linux and NetBSD, userspace support for macOS. So you get one binary that runs on multiple operating systems as a bonus :) The ABI itself is basically "FreeBSD, plus Capsicum always enabled from the start, minus any stuff that doesn't work under Capsicum".
That's a nice step in the right direction, thanks for bringing it to my attention. It does mean a fair bit of rewriting though which is mostly what my initial comment was trying to get across, it's a different world over there :)
> "No more file access, no more network connections".
You could potentially use setrlimit on RLIMIT_NOFILE to limit your number of open files.
Although... you probably still want to display something to the terminal which means you still want stdout and stderr, so an attacker could just close stdout and stderr before doing whatever they wanted with their 2 remaining fds.
I used to be part of a team writing a large C++ application with lua bindings. We had two lua environments, and you can specify the exact libraries available to lua, so we'd start up a lua environment without a filesystem or network once we were set up.
Just thought it was an interesting approach I'd share.
I work on several C programs. I wish for the day when we have an easy to use, cross platform method of setting up a small set of open files at the start of a program, then be able to say "No more file access, no more network connections".
I know this hides a whole bunch of complication, which is why it's hard and why there are so many ways to do it -- I view it the same way as the move to distinct virtual memory spaces for each process. Once we have it we'll wonder why we ever allowed every program free access to the whole file system for it's entire life-span by default.