On 2021/03/16 09:28, Theo de Raadt wrote: > > > > Yes, I know, it's a "better than nothing" solution. I tried to make it > > run for all use cases, which is quite wide as you said. > > Hang on -- it is not "better than nothing". It leaves the programs with > enough abilities so that, if it got holed, it could still do everything it > needs to do to own the system. pledge and unveil are used elsewhere to > ensure privdrop/privsep designs, and here it is not doing that.
Absolutely. A pledge which (after startup) allows the combination of both file access and network io really makes me question if the pledge is going to do anything useful. > But that pledge is talking away a vast number of smaller posix interfaces, > which are unneccessary for holing the system. Perhaps there should be a limit on the length of the promises string ;)
