The OpenBSD pledge
Florian Ermisch
florian.ermisch at alumni.tu-berlin.de
Mon Jun 13 07:44:17 UTC 2016
Am 11. Juni 2016 18:31:25 MESZ, schrieb Alan Somers <asomers at freebsd.org>:
> On Sat, Jun 11, 2016 at 5:32 AM, Domagoj Stolfa
> <domagoj.stolfa at gmail.com> wrote:
> > Yes, it would maybe make sense to do so. I am not too familiar with
> > capsicum(4), but glancing over it, it might be possible. If
> anything, it
> > would allow for code reuse from the OpenBSD ports and increased
> portability
> > in the future. Maybe the people who have worked with capsicum(4) or
> have
> > developed it could give some more insight on this.
> >
>
> I don't see how it would be possible. Capsicum is all about file
> descriptors. When you call cap_enter(), you give up the ability to
> access global namespaces. For example, you can no longer open files
> (except using openat(2) for files in a subdirectory of a directory
> which is already opened). OTOH, pledge is all about sycalls. When
> you pledge, you give up the ability to use certain syscalls,
> regardless of what file descriptors they might involve. So for
> example, a program that uses pledge(2) to prohibit networking syscalls
> can't simply replace pledge(2) with cap_enter(2), because it may need
> to open files after pledging.
>
> -Alan
Thanks for the clarification, Alan.
So pledge(2) would, if implemented in
FreeBSD, complement capsicum.
They would only overlap around file
descriptors, where capsicum could
enforce a processes pledge like to only
ever write to one file which is its logfile.
Florian
More information about the freebsd-current
mailing list