Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support

From: Poul-Henning Kamp <phk_at_phk.freebsd.dk>
Date: Fri, 01 Apr 2022 10:37:48 UTC
--------
David Chisnall writes:

> > pledge()/unveil() are usually used for fairly well-disciplined 
> > applications that either don't run other programs or run very specific 
> > programs that are also well-disciplined and don't expect too much 
> > (unless you just drop the pledges on execve()).
>
> The execve hole is the reason that I have little interest in pledge as 
> an enforcement mechanism.

That (and the name) is why I have never seen it as an enforcement mechanism, but only as a special case of asserts:

	"I pledge that I'm not going to ... (until I tell you otherwise), fail me if I do".

It is not obvious to me what role the "curtain" proposal is intended to play,
or what role the originator of that proposal think pledge()/unveil() has ?

What is the level of ambition and the use-cases here ?

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.