I've been sending out these reports about pledge status every few
weeks; it is kind of fun so I will continue.
Early on, I modified ps(1) so that it can show whether a process is
pledged in some fashion. This shows up as a little 'p' in the STAT
field. (It tends to be the last character of the field, so let's use
that below).
'p' does not tell you how strict the requests are, but it indicates
some developer(s) put effort into restricting what the process will
do. Let's look at that (play along at home)
% ps aguxww | grep 'p *'
[list of processes which are pledged]
% ps aguxww | grep -v 'p *'
[list of processes which are not pledged, much shorter]
Some curious things show up, depending on what you are running on
your system.
If you are running X, you may also have xconsole. For both X and
xconsole you will see one process is pledged, the other is not. This
is priviledge seperation showing itself a bit more obviously. So far,
we've been able to pledge one half of the process grouping, but not
the other half. Give us time, maybe we can build requests for the
other halves.
If you are running smtpd, you will probably be happy with the result.
gilles and eric designed (the monster) as many processes, then glued
them together into fewer. As a result, the
pflogd shows the same behaviour; one side is pledged, the other is
not. tcpdump does the same. Trust me, the gory scary bits are
pledged. The master processes are lying around to do an ioctl.
You'll soon see that sshd and ssh are not yet pledged (well, the sshd
pre-auth is..). There is some work starting on those, somewhat
slowly. The moniker "swiss army knife" shows itself here, because
these are very complicated programs that can at quite arbitrary times
use a wide variety of system capabilities.
In my view, the most important programs not yet pledged are:
sshd ssh sftp sftp-server
dhclient
mountd
lpd lpr lpq lprm (yes, legacy software, but still)
xconsole (the other half)
xdm
sndiod (work in progress, stay tuned for a great commit!)
spamd (the entire toolset)
ifstated
ospfd ospf6d
Some other minor routing daemons
Also a few other pieces of software are incompletely pledged, and need
some refactoring them when the right people find time. Particularily:
relayd
snmpd
That is simply because these are complicated pieces of software. It
is the same story as ssh and sshd. pledge is a high-level syscall
blocker, but in syscall intensive programs the principles can become
difficult (or impossible) to apply, and other methods attempt to make
that software fail when it misbehaves.
If you are running ports.. well.. that can't happen yet.
