g...@oat.com wrote: > Theo de Raadt wrote: > After pledge, 80% of the base programs were converted to pledge-assisted > priv-drop, because it was really obvious that "initialization code" > could > and should be moved earlier in the program, so that pledge (or multiple > pledge calls dropping permissions further) could be added to the > program. > > Inside the group, we called this moving of initialization code to > earlier "hoisting". > > Hoisting and cleanup can have very large benefits independent of implementing > pledge > or other security features. > I have seen programs shrink by almost 90% and gain functionality as a result. > > In one case it -was- a program which ran with privileges equivalent to root. > As a byproduct of the cleanup we were later able to assure ourselves that the > result > needed no more changes to be as secure as we could make it.
It is a big mental shift. If you don't attempt & perform the hoisting action once, yourself to a real pre-existing program, then you will never understand pledge and have mysterious beliefs about how it is 1-line secret sauce that makes programs safer. On the contrary, it is 90% guidance and 10% enforcement.