> Freebsd has capsicum which, like seccomp (mentioned else-thread) is much more complex and flexible.
Capsicum may be more flexible in some ways, but it's also less flexible in others.
After you a process entera capsicum mode, it can't open new sockets, except by accepting on an existing listen socket or by receiving them on a unix socket, sent by a cooperating non-capsicum process. This means you can't capsicum a TLS proxy like hitch, which would be a great thing to capsicum since the operation is pretty simple and OpenSSL is scary.
No true, of course you can do that. Not being able to open files or sockets only means you need a small separate process to do that for you and then send you the file descriptors.
I said you could get them from a cooperating uncapsicumed process. But, it's not simple, and what are you going to write that loophole process in, and why does it get access to the filesystem if it only needed sockets, etc.
Capsicum is simply not flexible in this way. Maybe if there was a way to open a new socket with a capability you setup earlier, that would be flexible enough.
It is pretty simple - implementing that for irssi(1) took a dozen or two lines of C, IIRC. Sure, it could be simpler, and hopefully libcasper(3) will make it happen, but it's not much of a difference.
Capsicum may be more flexible in some ways, but it's also less flexible in others.
After you a process entera capsicum mode, it can't open new sockets, except by accepting on an existing listen socket or by receiving them on a unix socket, sent by a cooperating non-capsicum process. This means you can't capsicum a TLS proxy like hitch, which would be a great thing to capsicum since the operation is pretty simple and OpenSSL is scary.