On Tue, Dec 10, 2019 at 10:18:37AM -0700, Theo de Raadt wrote: > Landry Breuil <lan...@openbsd.org> wrote: > > > Well, i managed to have a 'video' pledge class, so you can probably get > > an 'uhidioctl' class :) > > I still feel the addition of 'video' pledge was an abuse of the concept. > > firefox has done a pretty weak version of privsep that requires a > 'master process' to have nearly all the pledges. The pledge options are > designed to encourage best-practice privsep, but firefox wants to > operate a master process with such a vast subset of full-posix, it is as > if it doesn't use pledge at all. > > It is similar with unveil, with this new diff. That process wants to > use a library which accesses many tens of files. This new subsystem > hasn't been seperated out into a process with a specific purpose.
I've been told they welcome new contributors sending patches :)
