> OpenBSD's file(1) implementation was written by nicm@, first introduced
> in 5.8, the inital design included a privileged parent process which
> forked an unprivileged child which would handle potentially unsafe
> file parsing.
>
> It also had 'sandboxing' using systrace(4), which required complex
> parent/child monitoring (SIGSTOP/START) to attach a policy to the
> child process.
>
> The goal was to make running file(1) safter, as it is often blindly
> run as root by users and build scripts alike.
>
> Today, file(1) uses pledge(2) in the unprivileged child, and the
> parent handles the initial opening and passing of fds using imsg, but
> otherwise it just wait(4)'s until the process exits.
>
> The diff below attempts to simplify the design, removing the
> parent/child abstractions entirely and dropping privs in the parent
> after opening the magic(5) patterns and input.
BTW, there is a piece of the story missing.
I started work on pledge due to conversations about file with nicm.
It was I who pushed him to write our file replacement. As he and I
pivoted through various privsep design considerations, and the
side-adventure to use systrace, I remembered all my misgivings about
the way systrace is used, and ("tame") pledge was born.
The 2nd program that was considered during pledge design was the
ntpd privsep. The 3rd program was the sshd pre-auth sandbox.
The direction seems sound. It is even tighter. This didn't work
in early pledge, but it does now.
However that diff contained other unrelated changes, which should not
be included.
