Re: [dev] pledge(2) patches

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Kamil Cholewiński <harry666t_AT_gmail.com>
Date: Mon, 06 Jun 2016 13:18:19 +0200

On Mon, 06 Jun 2016, Martin Kühne <mysatyre_AT_gmail.com> wrote:
> I don't understand the purpose of pledge, since it's under the control
> of the programmer, but so is what the program does just as well. In
> what way is the programmer supposed to prevent himself from doing what
> they were going to do anyway?
>
> cheers!
> mar77i

If you are Knuth or DJB and write perfect, bug-free programs on the
first try, you don't need pledge. But the rest of us are mere mortals.

Pledge is about what you *didn't* expect your program to do. Think, you
download a random file from the Internet. You run file(1) on it, and
boom! A hole in libmagic and the attacker managed to execute arbitrary
code on your box.

With pledge, the arbitrary code still executes, but is limited to
whatever syscalls your program has pledged to use. In a well-designed,
privilege-separated program, this can limit the potential damage, from
full pwnage to a mere crash.

<3,K.
Received on Mon Jun 06 2016 - 13:18:19 CEST

This archive was generated by hypermail 2.3.0 : Mon Jun 06 2016 - 13:24:11 CEST