Re: [dev] pledge(2) patches

From: FRIGN <>
Date: Mon, 6 Jun 2016 10:22:50 +0200

On Mon, 06 Jun 2016 10:02:05 +0200
Kamil CholewiƄski <> wrote:

Hey Kamil,

> The "problem" with pledge, is you have to let the program initialise
> completely, and only then drop the privileges. Otherwise it could've
> been implemented as a flag on the executable file.

You can also pledge multiple times. I don't know if we can separate st
so much into an initialization- and idle-stage.

> If you'd make this a generic hook, it might get tricky to inject the
> right behavior at the right stage, plus the cognitive cost of extra
> indirection / abstraction.

I don't see this issue here tbh. Trivial pledges, like disallowing
network access and stuff can always be done.

> Pledge is extremely human-friendly, and about as simple as it can get.
> In almost every case, calling it is two lines of code, with xpledge it's
> one. Compare with SecComp.

This is no discussion about SecComp vs. pledge. This is solely a
question if we should add a very good security feature, which
unfortunately is not portable (yet).

> Agree, however I've also found this:
> TLDR: pledge on Linux implemented in terms of SecComp.

As far as I know, SecComp has some weird behaviour when you exec.
Other than pledge, which "resets" the permissions, SecComp keeps
the limitations.
Because of that, the only way would be to somehow disable Seccomp
before execing, risking a TOCTTOU-problem.



Received on Mon Jun 06 2016 - 10:22:50 CEST

This archive was generated by hypermail 2.3.0 : Mon Jun 06 2016 - 10:24:12 CEST