From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from tb-mx0.topicbox.com (localhost.local [127.0.0.1])
	by tb-mx0.topicbox.com (Postfix) with ESMTP id 111721ED4D37
	for <developer@lists.illumos.org>; Fri, 12 Jul 2024 15:00:18 -0400 (EDT)
	(envelope-from josh@sysmgr.org)
Received: from tb-mx0.topicbox.com (localhost [127.0.0.1])
    by tb-mx0.topicbox.com (Authentication Milter) with ESMTP
    id DA93B491315;
    Fri, 12 Jul 2024 15:00:18 -0400
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t=
    1720810818; b=Nci5IhWFuj3ABfOQd3mxJHUg9EHJHyGdVLEyO/VMmKREDb2cZF
    n0jsy0Nqgrpv/UHckibbUvmn9gxN4aiRbJ22t8XHcAYtMe6ygoAAFeeE3lMWoOae
    tdIdYBuTgEwIzrChEW2IP/CTZzTMv7LcaFZpCiPBzVqUTfwr0NiorAn3i5Ag9TZr
    v9jm5cZMbQDVf161V4DV7FG1ylb9GDISFffu/V4pLDW+XmC8hGPw5jHvUfRs9J3o
    HoUagiRkGEbvNlKDoSffDIfHezLjp5oiIlfxV9vjaJrfpESb61hLXyixOIqnbyPf
    6AGOeSMDGe7x9Cg35PDNJMgNRWWOK6MeJ0+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    topicbox.com; h=mime-version:references:in-reply-to:from:date
    :message-id:subject:to:content-type; s=arcseal; t=1720810818;
    bh=1AZ0jAz48wUN8qCpTlc6t4kYedNw+ovjiAPpoLG4KlE=; b=IC3wuLxVr9OB
    DJpPLJZQa5cpIBR0JQlZ7sUnNubtKVVnzFPje1sPpnozfrUd+HdQYPTiMZSgDdUa
    lFemYhg60ufV4VKDYnaShrHiAud7PNPS2DlGZUDbWnnGQ2i48SEotlgxJSIlz062
    06mIycPuvdN7GsG7/d/YIOXPGnfexYCWvTMeXAVa2INt5EQZiCsdZo12GySU6idO
    l/Zk8C9cfcxRyRe4aeTrf2JQn1TNL8L2UC0KBqhBifhmD1ALXsCaWTFOYYDYhKQW
    Uat5s1rznjG02N9hKVzQSVMtgNn4qUtIxjPqksr+PFWlBTztx2VrfnowmmSIJsly
    ZGodHrxS0A==
ARC-Authentication-Results: i=1; tb-mx0.topicbox.com;
    arc=none (no signatures found);
    bimi=none (No BIMI records found);
    dkim=pass (2048-bit rsa key sha256) header.d=sysmgr.org
    header.i=@sysmgr.org header.b=EzqaxpRH header.a=rsa-sha256
    header.s=google x-bits=2048;
    dmarc=pass policy.published-domain-policy=quarantine
    policy.applied-disposition=none policy.evaluated-disposition=none
    (p=quarantine,d=none,d.eval=none) policy.policy-from=p
    header.from=sysmgr.org;
    iprev=pass smtp.remote-ip=209.85.210.175 (mail-pf1-f175.google.com);
    spf=pass smtp.mailfrom=josh@sysmgr.org
    smtp.helo=mail-pf1-f175.google.com;
    x-aligned-from=pass (Address match);
    x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net
    header.i=@1e100.net header.b=Ewiz6Hxg;
    x-me-sender=none;
    x-ptr=pass smtp.helo=mail-pf1-f175.google.com
    policy.ptr=mail-pf1-f175.google.com;
    x-return-mx=pass header.domain=sysmgr.org policy.is_org=yes
    (MX Records found: alt3.aspmx.l.google.com,alt4.aspmx.l.google.com,aspmx.l.google.com,alt1.aspmx.l.google.com,alt2.aspmx.l.google.com);
    x-return-mx=pass smtp.domain=sysmgr.org policy.is_org=yes
    (MX Records found: alt3.aspmx.l.google.com,alt4.aspmx.l.google.com,aspmx.l.google.com,alt1.aspmx.l.google.com,alt2.aspmx.l.google.com);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384
    smtp.bits=256/256;
    x-vs=clean score=-100 state=0
Authentication-Results: tb-mx0.topicbox.com;
    arc=none (no signatures found);
    bimi=none (No BIMI records found);
    dkim=pass (2048-bit rsa key sha256) header.d=sysmgr.org
      header.i=@sysmgr.org header.b=EzqaxpRH header.a=rsa-sha256
      header.s=google x-bits=2048;
    dmarc=pass policy.published-domain-policy=quarantine
      policy.applied-disposition=none policy.evaluated-disposition=none
      (p=quarantine,d=none,d.eval=none) policy.policy-from=p
      header.from=sysmgr.org;
    iprev=pass smtp.remote-ip=209.85.210.175 (mail-pf1-f175.google.com);
    spf=pass smtp.mailfrom=josh@sysmgr.org
      smtp.helo=mail-pf1-f175.google.com;
    x-aligned-from=pass (Address match);
    x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net
      header.i=@1e100.net header.b=Ewiz6Hxg;
    x-me-sender=none;
    x-ptr=pass smtp.helo=mail-pf1-f175.google.com
      policy.ptr=mail-pf1-f175.google.com;
    x-return-mx=pass header.domain=sysmgr.org policy.is_org=yes
      (MX Records found: alt3.aspmx.l.google.com,alt4.aspmx.l.google.com,aspmx.l.google.com,alt1.aspmx.l.google.com,alt2.aspmx.l.google.com);
    x-return-mx=pass smtp.domain=sysmgr.org policy.is_org=yes
      (MX Records found: alt3.aspmx.l.google.com,alt4.aspmx.l.google.com,aspmx.l.google.com,alt1.aspmx.l.google.com,alt2.aspmx.l.google.com);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384
      smtp.bits=256/256;
    x-vs=clean score=-100 state=0
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeeftddrfeeigdduvdeiucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
    htshculddquddttddmnecujfgurhepgghfjgfhfffkuffvtgesthdtredttddtjeenucfh
    rhhomhepfdflohhshhhurgcuofdrucevlhhulhhofidfuceojhhoshhhsehshihsmhhgrh
    drohhrgheqnecuggftrfgrthhtvghrnhepteeigfethfefteetjeeiheegveegkeeggfeh
    vdefteejtdffueeljeffudfhhfejnecuffhomhgrihhnpehshihsmhhgrhdrohhrghenuc
    fkphepvddtledrkeehrddvuddtrddujeehnecuvehluhhsthgvrhfuihiivgeptdenucfr
    rghrrghmpehinhgvthepvddtledrkeehrddvuddtrddujeehpdhhvghlohepmhgrihhlqd
    hpfhduqdhfudejhedrghhoohhglhgvrdgtohhmpdhmrghilhhfrhhomhepoehjohhshhes
    shihshhmghhrrdhorhhgqedpnhgspghrtghpthhtohepuddprhgtphhtthhopeeouggvvh
    gvlhhophgvrheslhhishhtshdrihhllhhumhhoshdrohhrgheq
X-ME-VSScore: -100
X-ME-VSCategory: clean
Received-SPF: pass
    (sysmgr.org: Sender is authorized to use 'josh@sysmgr.org' in 'mfrom' identity (mechanism 'include:_spf.google.com' matched))
    receiver=tb-mx0.topicbox.com;
    identity=mailfrom;
    envelope-from="josh@sysmgr.org";
    helo=mail-pf1-f175.google.com;
    client-ip=209.85.210.175
Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by tb-mx0.topicbox.com (Postfix) with ESMTPS
	for <developer@lists.illumos.org>; Fri, 12 Jul 2024 15:00:17 -0400 (EDT)
	(envelope-from josh@sysmgr.org)
Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-70b42250526so1901545b3a.1
        for <developer@lists.illumos.org>; Fri, 12 Jul 2024 12:00:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sysmgr.org; s=google; t=1720810815; x=1721415615; darn=lists.illumos.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=1AZ0jAz48wUN8qCpTlc6t4kYedNw+ovjiAPpoLG4KlE=;
        b=EzqaxpRHTk5RXtfgB1mLTTU+qX5q8a7iWVDztLr2N+MZmbN8faUjR17ir3eg/2AsLt
         wKIK8zcBxBQh4q+M5MMCaFS3WuSpga4Kd+8XHqV25YVFLRvqKpz6Esv4svFc8zeFfQqw
         W7alGcudBamFt9b6aFF/8JvjpnEUkcmPWZJN52pfkjS7gWWKjuja0muBuAp/77BlZoTJ
         YFt6MpscOeSwcybq50ozxvX5ikhWTGKsBzwcGTWkdPQsToGMsd3FBTsDNWuIel38FpC/
         wTj68Hc8lbpEuaRtaNT/yFAtgh33/fkA4uJrbQb5KCnGSznor+ZALxCEh+VaCPgN7niF
         KY7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1720810815; x=1721415615;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=1AZ0jAz48wUN8qCpTlc6t4kYedNw+ovjiAPpoLG4KlE=;
        b=Ewiz6HxgYkxcx52FlJgd8/i2IREeuDttFZw76q2vXNTwnP5iVBAzKC6z2gC8k95817
         3ZCmTxfxaBVOvJwuDpocL0QxR1gQKU1/ervlfBruq7BA/6/id8icNb2TojLKrgDVsqcV
         SMveH/PoIqZdCO05Y/UKpzJnELZ8pe5W6vLO1T503bLFMBNRUjU+AIeRM/viX1zF+LsW
         5pP1la360b145Vt+Ejlw5TKPob6PPDxgmLzm75xwImhuP884yMyG5u3hWVakSsNTmeCW
         ambb2pRLrpmHK3th4pNrWKyOdGT/P6bY+/sWkJXT8rv5NChnhWj5l2k5oLni96BJmX3r
         CS7w==
X-Gm-Message-State: AOJu0YyoVRNpqBRiqcbmZhky6C42gxtA5P4XJkC7lFKFI/jy3pk7EkOE
	/SyoAgz0rLGqv7UCS+rdRcKkoGDkgq94QVDCpoTYbwY43XDAIUzeOqgmOn4ZPLbGgCYyRnENRjC
	xIS6M0pReHBjczd2Q+Knb/LVmfJeLHwBcbyJDMJxN9m01hEKtNKxwHA==
X-Google-Smtp-Source: AGHT+IE5ofaMovN72Huua7Ou1pARsY6FQz0AD3UB3c20w36xlHEKidI0tLH3dZw91GbPxVg3TlGp4OZ3dmM/kargSTM=
X-Received: by 2002:a05:6a20:1594:b0:1c0:e1bf:4c23 with SMTP id
 adf61e73a8af0-1c29820ca53mr14328872637.20.1720810815094; Fri, 12 Jul 2024
 12:00:15 -0700 (PDT)
MIME-Version: 1.0
References: <dac2f940-8afc-4ca0-bfe0-3d5782620ce1@outstep.com> <CAEgYsbFuym0gw8EvsFw49W8wJzN-nwFD+h9_TLQOJAw-B_-T8A@mail.gmail.com>
In-Reply-To: <CAEgYsbFuym0gw8EvsFw49W8wJzN-nwFD+h9_TLQOJAw-B_-T8A@mail.gmail.com>
From: "Joshua M. Clulow" <josh@sysmgr.org>
Date: Fri, 12 Jul 2024 12:00:03 -0700
Message-ID: <CAEwA5n+uNpi-yqGhX4UyQjq0j=zi_3dPH7NfCBSAvoMomruWpw@mail.gmail.com>
Subject: Re: [developer] Sandboxing applications
To: illumos-developer <developer@lists.illumos.org>
Content-Type: text/plain; charset="UTF-8"
Topicbox-Policy-Reasoning: allow: sender is an admin
Topicbox-Message-UUID: fd84e4fa-4080-11ef-8df8-f85dfd8b7b06

On Fri, 12 Jul 2024 at 02:15, Peter Tribble <peter.tribble@gmail.com> wrote:
> You could use ppriv to limit application privileges, which provides some of the sandboxing
> capability. One thing we don't have as far as I'm aware is the ability to restrict access to a
> list of files, which would be convenient.

I've talked with some folks recently about this, in particular.  We
could probably add a compatible implementation of the "Extended
Policy" facility that was added after the gate closed.  It integrates
with the existing privileges(5) stuff, but with constrained targets;
e.g.,

    - file_dac_read supports globs on file paths
    - net_privaddr supports nominating specific TCP or UDP port numbers
    - proc_setid allows a process to change to a specific range of UIDs

-- 
Joshua M. Clulow
http://blog.sysmgr.org