Sort of similarly, I'd like to see more use of sandboxing in memory-safe language programs. But I don't see a ton of people using these OS primitives in, e.g., Rust or Go.

▲

pornel a day ago | parent | next [-]

There's a need for some portable and composable way to do sandboxing.

Library authors you can't configure seccomp themselves, because the allowlist must be coordinated with everything else in the whole process, and there's no established convention for negotiating that.

Seccomp has its own pain points, like being sensitive to libc implementation details and kernel versions/architectures (it's hard to know what syscalls you really need). It can't filter by inputs behind pointers, most notably can't look at any file paths, which is very limiting and needs even more out-of-process setup.

This makes seccomp sandboxing something you add yourself to your application, for your specific deployment environment, not something that's a language built-in or an ecosystem-wide feature.

	▲	silon42 13 hours ago \| parent [-]
		To be properly useful as a sandbox, it would be nice to have a tool that would run another process/executable in a sandboxed environment. Basically a tool that would allow to run flatpaks/AppImages/ etc... Maybe firejail already does all that can be done without using a VM.

▲

pizlonator a day ago | parent | prev [-]

I think Rust is great for sandboxing because of how Rust has basically no runtime. This is one of the nice things about rust!

Go has the same problems I’m describing in my post. Maybe those folks haven’t done the work to make the Go runtime safe for sandboxing, like what I did for Fil-C.

	▲	loeg a day ago \| parent [-]
		Sure, but even just setuiding to a restrictive uid or chrooting would go a long way, even in a managed runtime language where syscall restrictions are more challenging.