Linux 5.13 is going to include the unprivileged sandboxing feature
Landlock, which has been in the making for many years now.

*Unprivileged* means that you don't need special system-level
privileges like `root` or `CAP_MAC_ADMIN` to use it, as some other
Linux sandboxing mechanisms do. Philosophically speaking, you should
not need additional special privileges just to drop the privileges
that you already have.

<div class="sidenote">How it works</div>

With Landlock, processes can restrict themselves to only use a
specified set of file paths, and it lets them control which operations
are available on these paths and their subdirectories (for example
opening for reading, writing, and directory operations[^except]).

A similar sandboxing feature has been around in OpenBSD for a while
now with `unveil()`: [This slide
deck](https://www.openbsd.org/papers/bsdcan2019-unveil/index.html)
[and talk](https://www.youtube.com/watch?v=gvmGfpMgny4) by Bob Beck
talks about the lessons learned and has examples on how to sandbox
software with it, which should translate well to Landlock.

<div class="sidenote">Download</div>

To make it easier to play with, I forked the Landlock example tool
from the kernel sources and made it compile standalone: You can get it
at
[https://github.com/gnoack/landlockjail](https://github.com/gnoack/landlockjail),
or you can just download a [precompiled statically linked
version](https://github.com/gnoack/landlockjail/releases/download/v1/lljail).

[^except]: At the moment, there are still some gaps, like `stat()`,
which can still be done even in landlocked processes. But it's moving
in the right direction, and at least accesses to the files' contents
can already be restricted.