[mdaverde]

It would be nice to see a comparison of FreeBSD's capsicum vs OpenBSD's pledge vs Linux's landlock features. It seems to me that the general vision of these projects have overlap but the implementations wildly differ.

Another question I have is that we haven't seen popular adoption of "capability-aware" Linux programs prior to the above efforts. While obviously it would be beneficial for users for developers to adopt these patterns, I'm skeptical these will start to take hold now? Possibly the adoption method will be runtimes that do this under the hood before fork/execve the application?

[yakubin]

The visions of capsicum and OpenBSD’s pledge and unveil are wildly different. Capsicum is designed with the assumption that you may want to use it for sandboxing untrusted programs. OpenBSD’s pledge and unveil assume the program is benevolent, but may be buggy, such as httpd which could receive specially constructed input over the network, manipulating httpd into giving a root shell. Pledge and unveil restrictions are not inherited across exec syscalls, so you cannot write a utility which would run a third-party program with restricted privileges.

Of course it also means that benevolent programs, which weren’t written specifically with OpenBSD in mind, aren’t protected. So e.g. I’d feel more comfortable running cgit in a FreeBSD jail than on OpenBSD trying to cobble something together with just chroot.

Linux landlock is modelled after pledge and unveil as far as I know.