On 04/04/2017 02:39 AM, Matthew Dillon wrote:
All I want is a way to run a program with a security wrapper that simply indicates which files and directories (or directory trees) can be accessed or written to, and some simple resource and network port restrictions, laid out in a text file, and have exec*() take care of everything. I don't want to have to construct a jail for everything, I don't want to have fine control over descriptor passing... I don't want to have to modify the program to make it more secure. I just want a simple 'here are the files and directories this program can access', 'here are the network ports this program can listen on', 'here is what the program can connect to', 'here are some basic resource restrictions so the program can't crash the machine or DOS it', ... and that's pretty much it. People literally create whole virtual systems JUST to do that. -Matt
This sounds a bit like OpenBSD's pledge http://man.openbsd.org/pledge
