Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Thu, 31 Mar 2022 19:37:34 UTC
On Thu, Mar 31, 2022 at 03:33:06PM -0400, Ed Maste wrote:
> On Thu, 31 Mar 2022 at 06:25, David Chisnall <theraven@freebsd.org> wrote:
> >
> > Capsicum simply disallows '..' in paths.
> 
> This is no longer true as of 7359fdcf5ffa. During a lookup the kernel
> checks that each ".." component specifies a directory that has already
> been visited in this name lookup call.
> 
> > The execve hole is the reason that I have little interest in pledge as
> > an enforcement mechanism.
> 
> Note that execve is only available if the "exec" keyword is specified.
> The child does not inherit the parent's limits, though.

I wonder if there's opportunity here for a little divergence. I think
inheritance would be a good thing. But this is more a philosophical
and subjective argument than a technical one.

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc