OpenBSD has the wonderful pledge()
and unveil()
syscalls:
https://www.youtube.com/watch?v=bXO6nelFt-E
Not only are they super useful (the program itself can drop privileges ā like, it can initialize itself, read some files, whatever, and then tell the kernel that it will never do anything like that again; if it does, e.g. by being exploited through a bug, it gets killed by the kernel), but they are also extremely easy to use.
Imagine a server program with a connected socket in file descriptor 0. Before reading any data from the client, the program can do this:
unveil("/var/www/whatever", "r");
unveil(NULL, NULL);
pledge("stdio rpath", NULL);
Done. Itās now limited to reading files from that directory, communicating with the existing socket, stuff like that. But it cannot ever read any other files or exec()
into something else.
I canāt wait for the day when we have something like this on Linux. There have been some attempts, but itās not that easy. And itās certainly not mainstream, yet.
I need to have a closer look at Linuxās Landlock soon (āsoonā), but this is considerably more complicated than pledge()
/unveil()
: