Isolation suggestion: landlock

[chrysn]

As I understand from today's workshop, unblob is troubled by libraries and external programs plagued by security issues such as ../.. components in paths. That workshop's discussion showed that chrooting is impractical due to its root requirements.

As an alternative, I suggest you look into landlock, a recent Linux access control mechanism similar to OpenBSD's unveil. This would allow the process to take away its own privileges to the file system (or other system calls), and limit itself to writing to the files that it intends to write to (eg. the JSON report and the unpacking file). Unlike chroot, it requires no elevated privileges; plus it can be configured to run on a best-effort base in case the requirements on a relatively recent kernel are not acceptable.