Re: [dev] pledge(2) patches

From: Kamil Cholewiński <harry666t_AT_gmail.com>
Date: Mon, 06 Jun 2016 14:26:55 +0200

On Mon, 06 Jun 2016, Martin Kühne <mysatyre_AT_gmail.com> wrote:
> Also, the way it is designed is a rather silly approach to security
> which is much more revealing about today's idiotic way of writing
> software by including tens of millions of SLOC of dependencies instead
> of doing the one thing for the one job.

Design is mostly a matter of taste, but seems like you got everything
backwards:

- Run sloccount on OpenBSD source (the entire system) and compare with
  the Linux kernel alone. You'll find the difference is in orders of
  magnitude in OpenBSD's favor.

- Pledge does exactly one thing, and the implementation is simple, clear
  and straightforward. (Go read the source! Now!)

I would say for some people it's perhaps too simple, as it may correctly
handle 99% of the real-world use cases, but it doesn't allow any extra
flexibility when needed. But yes, for me that's also a feature, and a
mark of good design.

> Doesn't the loader also have a say in what addresses are known to a
> process?

Pledge only deals with syscalls, so yes, the loader in the kernel knows
exactly which ones are available to the process, and denies them, per
request.

Yes, it can be implemented as a filesystem flag, but it would be much
less effective.

> I personally find the idea of polluting our source code for this
> appalling and suggest the wiki.

I understand the sentiment of not wanting OS-specific functionality in
an otherwise very portable piece of software, but since you're so
outspoken about it, I'm very curious about which real-world alternatives
would you recommend.

<3,K.
Received on Mon Jun 06 2016 - 14:26:55 CEST