[FEATURE REQUEST] Easy sandboxing with landlock for Linux #2657
Description
Heya,
Linux has this amazing feature called landlock, which allows you to easily lock down your programs access. It limits the blast radius of exploits, for example if you have a rogue third-party dependency, or if you haven't properly sanitized user input.
I think this is particularly cool for shell script. With CGI for example, you usually add some protection by chrooting into a data directory to limit process access. However, with landlock you could have even more fine-grained control and limit access for each individual handler, including restricting their network access.
I think it'd be amazing if ysh supported an easy way to landlock itself. For inspiration, go-landlock provides a very simple high-level API that looks like this:
err := landlock.V5.BestEffort().RestrictPaths(
landlock.RODirs("/usr", "/bin"),
landlock.RWDirs("/tmp"),
)