While researching for crybot.ralsina.me I ran into https://landlock.io/
Basically: it’s a linux thing where apps can say “I only need this access” and once active THEY CANNOT GIVE IT UP.
So, I have code to enable it … does it sound generally useful? If yes I can make it a shard.
AFAIU landlock is mostly for restricting access to file system paths.
And it works without creating an entirely different file system namespace as containers or bubblewrap would do.
It seems similar to OpenBSD’s unveil.
As such, it can be useful for defence in depth. It’s certainly never a bad idea to remove unnecessary capabilities.
Other benefits: you don’t need to run your app via a tool (like bubblewrap or bubblejail) and because it’s per-thread confinement you can do some smart things to allow “dynamic” confinement so to speak.
One issue: you need preview_mt and execution_context for those restrictions to work.
BUT: in crystal you can start fibers in OTHER EXECUTION CONTEXTS so if the containment is per-thread you can escape it by launching a fiber :-/
I have now shipped sandboxed crybot (partial, only for tools, not for network access) and it’s super smooth:
And the best part is: this is actual sandboxing. The agent could say “rm -rf /” and it will just not work.