Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support

From: Ed Maste <emaste_at_freebsd.org>
Date: Thu, 31 Mar 2022 19:33:06 UTC
On Thu, 31 Mar 2022 at 06:25, David Chisnall <theraven@freebsd.org> wrote:
>
> Capsicum simply disallows '..' in paths.

This is no longer true as of 7359fdcf5ffa. During a lookup the kernel
checks that each ".." component specifies a directory that has already
been visited in this name lookup call.

> The execve hole is the reason that I have little interest in pledge as
> an enforcement mechanism.

Note that execve is only available if the "exec" keyword is specified.
The child does not inherit the parent's limits, though.