Capsicum seems so useful, but some of the boundaries are so rigid. As far as I could tell, you can't capsicum anything like a TLS terminator or http proxy etc, because there's no way to allow opening new sockets after entering capabilities mode; you could have another process open up the sockets and pass the FD, but if I'm writing both the sandboxed process and the one that opens sockets, I'm not sure it makes enough difference. I ended up with jails instead, being stuck in a chroot with only a static executable, a config file, and a log file felt good enough to me.
It’s rigid, because it implements a security architecture (capability-based security) instead of providing a mechanism to implement random restrictions.
Yes, Capsicum, and libcasper and MAC and whatever else they are adding to it now to make it saner to use in practice(I don't really keep up).
I'm not fully up to speed, but apart from some commands in the base system, I know of nothing that even attempts to use it.
There has been talk of adopting pledge/unveil into Linux also using EBPF if I remember right, though that doesn't seem to have gone anywhere either.
I'm not saying pledge/unveil are the best way to do it, and in theory capsicum is AWESOME, but it's also super complicated and not for the feint of heart.
But pledge/unveil are mostly idiot proof, in about 15m you can figure out enough of how it works to feel comfortable trying it out in something like `cat`. I've now read the landlock docs and the capsicum docs and I still don't feel comfortable playing with either one of them. I'd need a lot of time and the docs laying open beside me to feel comfortable even trying them in a small thing like `cat`. Reality is? Nobody will ever bother until forced.
And "security" in computer land is still trying to figure out how to fix giant gaping holes like memory leaks and overflows. Things like capabilities are still not even on the roadmap in most software. If you care at all about cross-platform, there is zero chance you can implement capabilities.
Are you talking about Capsicum? It's definitely not unused. Unloved, maybe.
There was a Reddit thread where some people talked about the possibility of layering pledge/unveil on top of it.
https://www.reddit.com/r/freebsd/comments/jldsm2/do_freebsds...
Something along these lines has been done by Ryan Stone
https://papers.freebsd.org/2020/bsdcan/stone-oblivious_sandb...