Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support
Date: Thu, 31 Mar 2022 19:37:34 UTC
On Thu, Mar 31, 2022 at 03:33:06PM -0400, Ed Maste wrote: > On Thu, 31 Mar 2022 at 06:25, David Chisnall <theraven@freebsd.org> wrote: > > > > Capsicum simply disallows '..' in paths. > > This is no longer true as of 7359fdcf5ffa. During a lookup the kernel > checks that each ".." component specifies a directory that has already > been visited in this name lookup call. > > > The execve hole is the reason that I have little interest in pledge as > > an enforcement mechanism. > > Note that execve is only available if the "exec" keyword is specified. > The child does not inherit the parent's limits, though. I wonder if there's opportunity here for a little divergence. I think inheritance would be a good thing. But this is more a philosophical and subjective argument than a technical one. -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc