Whitelist path feature tame() has a 2nd parameter const char *whitepaths[] If non-NULL, points at array of pathnames that the program can "see" All other filesystem objects disappear (ENOENT) Except directories partway along a whitepath (these show up as uid 0, gid 0, mode d--x--x--x) This feature is still being developed. Not ready to talk about what will use this yet :-)