Hacker News new | ask | show | jobs
by pjmlp 434 days ago
Rather design the application from the start to use multiple processes, OS IPC and actual OS sandboxing APIs.

Pseudo sandboxing on the fly is an old idea and with its own issues, as proven by classical UNIX approach to launching daemons.
1 comments
vlovich123 434 days ago
What are the sandboxing APIs you’d recommend on Linux, Mac, & Windows? I haven’t been able to find any comprehensive references online.
link
MaulingMonkey 434 days ago
My starting point would be Chromium's documentation, as - presumably - chrome is one of the most widely used and battle tested, user-facing, third party sandboxes running on end user machines.

Windows: https://chromium.googlesource.com/chromium/src/+/main/docs/d...

Linux: https://chromium.googlesource.com/chromium/src/+/main/sandbo...

OS X: https://chromium.googlesource.com/chromium/src/+/main/sandbo...

With the caveat that I wouldn't necessairly assume this is the cutting edge at this point, and there might be other resources to invest in for server-side sandboxing involving containers or hypervisors, and that I've only actually engaged with the Windows APIs based on that reading.

I wrote `firehazard` ( https://docs.rs/firehazard/ , https://github.com/MaulingMonkey/firehazard/tree/master/exam... ) to experiment with wrapping the Windows APIs, document edge cases, etc. - although if the long list of warnings in the readme doesn't scare you away, it'll hopefully at least confirm I hesitate to recommend my own code ;)

link
woodruffw 434 days ago
macOS provides native sandboxing; you can use capabilities at the app level[1] or the sandbox-exec CLI to wrap an existing tool.

For Windows, you probably want WSB[2] or AppContainer isolation[3].

For Linux, the low-level primitives for sandboxing are seccomp and namespaces. You can use tools like Firejail and bubblewrap to wrap individual tool invocations, similar to sandbox-exec on macOS.

[1]: https://developer.apple.com/documentation/xcode/configuring-...

[2]: https://learn.microsoft.com/en-us/windows/security/applicati...

[3]: https://learn.microsoft.com/en-us/windows/win32/secauthz/app...

link
amarshall 434 days ago
Linux also has Landlock now.

macOS sandboxing is notoriously under-documented, has sharp edges, and is nowhere near as expressive as Linux sandboxing.

link
anonzzzies 434 days ago
To save a search; https://docs.kernel.org/userspace-api/landlock.html
link
woodruffw 434 days ago
Thanks! Landlock is the one I couldn't remember.

Agreed about macOS's sandboxing being under-documented.

link