auto-sandboxed / auto-privileged processes

UPDATE: I have now learned about SELinux, which doesn't most of this

note: throughout this article i refer to sandboxing, which means limiting the damage or resources a process has access to.

currently, sandboxing (docker, vms, deno, wasm, cloudflare sandboxify, systemd seccomp) applications requires the user to manually specify that the process should be sandboxed every time it runs. this often leads to most application running without a sandbox as the effort to sandbox them is high.

i propose a strategy for sandboxing based on the hash of a executable and the user running the executable which automatically sandboxes the application. this is a similar idea to how iphone apps get permissions.

the idea it pretty simple. take the hash of an executable and a user as a key into a map to a set of permissions.

(hash of exe, user) -> permissions for sandbox

this allows the system to know what permissions that application and user may have and sandbox the application appropriately. using the hash of the executable ensures that the application is the one specified regardless of where it is in the filesystem.

this table can be updated by the user with any permission that user has or using well known privilege escalation tools (sudo, doas) to give permissions that they don’t have (this acts as a form of privilege execution).

this would allow users to run applications with a subset of the super users permissions without granting full access (limited privilege escalation) or using a tool (sudo, doas).

running the executable creates a sandboxed environment (container) where only operations in the table can be performed. the only files mapped into the sandbox are ones the table has explicitly permitted. the executable can pledge / seccomp away permissions during its execution to further prevent the attack surface. subprocesses are spawned into this sandbox by default or its own sandbox based on the table, this prevents breaking out of the set privileges.

okay but what about this auto portion? well it would need some initial setup for each executable and each new executable but presumably this could be done by a OS provider like fedora or ubuntu. package managers could also update this table with the relevant mappings when packages are installed. this is similar to how systemd provides the SystemCallFilter=.

each time the user runs a process which isn't sandboxed they could be asked with what permissions it should be sandboxed. this is similar to deno and cloudflare's sandboxify.

downside #1 - only executables are managed by this. java, python and other scripting languages would not be well sandboxed because their executable is general purpose.

downside #2 - an initial setup is still required.

let me know your thoughts on this or if you have found something similar