Today I learned about landlock. Overall, I’m impressed by how comprehensive this is. I’m definitely bookmarking it. Thank you for doing so much research.
I do have a mention that the macOS/iOS/XNU sandbox is indeed a TrustedBSD module, however unfortunately the sources on that specific tech were very scarce (such as this guide along with a couple of reverse engineering conferences). Care to elaborate on the Juniper’s mention, you mean Junos, were they the one who developed it for Apple?
Apple funded the TrustedBSD work. Robert Watson wrote it under contract to Apple and was allowed to implement it for both XNU and FreeBSD (with some subtle changes, XNU has a much stronger notion of a canonical path than FreeBSD). The first versions mentioned this in the marketing docs and, even though the policies are proprietary, the hooks are all in the public XNU code.
JunOS is a FreeBSD fork (after many years of effort, it is a fork, rather than a network of forks) that uses the MAC frmework for code signing and some sandboxing things, though I’ve forgotten the details.
Today I learned about
landlock. Overall, I’m impressed by how comprehensive this is. I’m definitely bookmarking it. Thank you for doing so much research.Thank you.
landlockcould be simply explained as the equivalent of OpenBSD’sunveil, however it differs in a couple of ways from it.The XNU Sandbox framework is a TrustedBSD module, as are several of Juniper’s things.
I do have a mention that the macOS/iOS/XNU sandbox is indeed a TrustedBSD module, however unfortunately the sources on that specific tech were very scarce (such as this guide along with a couple of reverse engineering conferences). Care to elaborate on the Juniper’s mention, you mean Junos, were they the one who developed it for Apple?
Apple funded the TrustedBSD work. Robert Watson wrote it under contract to Apple and was allowed to implement it for both XNU and FreeBSD (with some subtle changes, XNU has a much stronger notion of a canonical path than FreeBSD). The first versions mentioned this in the marketing docs and, even though the policies are proprietary, the hooks are all in the public XNU code.
JunOS is a FreeBSD fork (after many years of effort, it is a fork, rather than a network of forks) that uses the MAC frmework for code signing and some sandboxing things, though I’ve forgotten the details.
That makes sense, and does indeed resonate with what I’ve read. Thanks for the info, it’s interesting to know!