Stuart Henderson <s...@spacehopper.org> wrote: > > In fact, I scanned the code looking for calls, so this should be ready for > > general use. I could have restricted it way more for my own use only. > > Though, I agree, this only protects from a very limited subset like route, > > settime, pf, audio, video. > > Even if you scanned the relevant code (which includes openldap, mariadb > client library, cyrus-sasl) people updating those in the future can't be > expected to look at how the library code changes to figure out if it's > going to have a bad effect on pledge in exim..
It is worse than that. Renaud, if the pledge lacks "route settime pf audio video" this does not mean those system features are disabled. It means they are not added. think of pledge like this. pledge "" allows you do nothing. Every pledge added allows you do do a bit more (some of those overlap slightly). They are additive. Not subtractive. pledge is implimented as a WHITELIST of lower-level operations, not as a blacklist. You've added enough stuff so that any RCE in exim can still execute all the exploit methodologies people are using. But you've incidentally removed far more than "route settime pf audio video" related ioctl. You just don't realize what you've removed.
