Draft: Restrict filesystem access to the download process whenever possible
Hi!
This is a follow-up to the sandboxing work, restricting filesystem access to the downloader process when sandboxing is enabled and LandLock support is available.
Right now what it does is make the whole filesystem read-only temporary download directory. It would be possible, and likely desirable, to restrict what the process can read even more, but I wanted to discuss whether there was interest for such a feature as well as the general approach before spending too much time ironing the details out.
I have placed the new code in a sandbox_fs.c
file, with the idea of adding a sandbox_syscalls.c
later to restrict allowed syscalls via seccomp
, but another possibility would be to have a sandbox_linux.c
file where all Linux-specific features are located.