Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support
Date: Fri, 01 Apr 2022 10:37:48 UTC
-------- David Chisnall writes: > > pledge()/unveil() are usually used for fairly well-disciplined > > applications that either don't run other programs or run very specific > > programs that are also well-disciplined and don't expect too much > > (unless you just drop the pledges on execve()). > > The execve hole is the reason that I have little interest in pledge as > an enforcement mechanism. That (and the name) is why I have never seen it as an enforcement mechanism, but only as a special case of asserts: "I pledge that I'm not going to ... (until I tell you otherwise), fail me if I do". It is not obvious to me what role the "curtain" proposal is intended to play, or what role the originator of that proposal think pledge()/unveil() has ? What is the level of ambition and the use-cases here ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.