We introduce a new security model for NetBSD -- secmodel_sandbox -- that allows per-process policies for restricting privileges. Privileges correspond to kauth authorization requests, such as a request to create a socket or read a file, and policies specify the sandbox's decision: deny, defer, or allow.

Processes may apply multiple sandbox policies to themselves, in which case the policies stack, and child processes inherit their parent's sandbox. Sandbox policies are expressed in Lua, and the evaluation of policies uses NetBSD 7's experimental in-kernel Lua interpreter. As such, policies may express staticauthorization decisions, or may register Lua functions that secmodel_sandbox invokes for a decision.