On Mon, 06 Jun 2016 10:02:05 +0200 Kamil Cholewiński <[email protected]> wrote:
Hey Kamil, > The "problem" with pledge, is you have to let the program initialise > completely, and only then drop the privileges. Otherwise it could've > been implemented as a flag on the executable file. You can also pledge multiple times. I don't know if we can separate st so much into an initialization- and idle-stage. > If you'd make this a generic hook, it might get tricky to inject the > right behavior at the right stage, plus the cognitive cost of extra > indirection / abstraction. I don't see this issue here tbh. Trivial pledges, like disallowing network access and stuff can always be done. > Pledge is extremely human-friendly, and about as simple as it can get. > In almost every case, calling it is two lines of code, with xpledge it's > one. Compare with SecComp. This is no discussion about SecComp vs. pledge. This is solely a question if we should add a very good security feature, which unfortunately is not portable (yet). > Agree, however I've also found this: > https://github.com/Duncaen/OpenDoas/blob/master/libopenbsd/pledge-seccomp.c > TLDR: pledge on Linux implemented in terms of SecComp. As far as I know, SecComp has some weird behaviour when you exec. Other than pledge, which "resets" the permissions, SecComp keeps the limitations. Because of that, the only way would be to somehow disable Seccomp before execing, risking a TOCTTOU-problem. Cheers FRIGN -- FRIGN <[email protected]>
