Sandboxing

[jelmervdl]

The native messaging interface is potentially parsing random HTML from the internet with a terrible C++ parser, and that might be pretty unsafe. We could use sandboxing apis provided by the OS to have most of bergamot-translator run with minimal privileges?

There is no universal API for it. Linux as seccomp, bsd has pledge(), macOS has sandbox-exec, I have no idea about Windows but am certain it has APIs to limit access as well.

I found Google has a library for it, which might be a useful starting point: https://chromium.googlesource.com/chromium/src/sandbox/

(Kenneth mentioned something along these lines to me in the hallway. This is me not trying to forget.)