Date: Mon, 13 Jun 2016 09:44:01 +0200 From: Florian Ermisch <florian.ermisch@alumni.tu-berlin.de> To: Alan Somers <asomers@freebsd.org>, Domagoj Stolfa <domagoj.stolfa@gmail.com>, Wolfgang Zenker <wolfgang@lyxys.ka.sub.org> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org> Subject: Re: The OpenBSD pledge Message-ID: <87672BA7-6724-45EB-B173-920DCEC39564@alumni.tu-berlin.de> In-Reply-To: <CAOtMX2jtABfLSa9NjVTNdo3=WNhF2qJTqBMZqDGeT10uVD7j4w@mail.gmail.com> References: <CABRKQr4U6-QKjcxWK_zV9TYBq-FFzuo4QxyRZ5Dcf9KxLjrypQ@mail.gmail.com> <20160611103834.GA75085@lyxys.ka.sub.org> <1F5A9247-7C98-483C-A4BD-4A3D54208B3D@alumni.tu-berlin.de> <CABRKQr7WheAHMRC04v90Rz68SFVBwapOn97bTiuPBy5x1ZaT=g@mail.gmail.com> <CABRKQr5XO=aJ60foH=kZ0MD8Ro0q6b=6n=pCYOAdAB1YsSs-%2BA@mail.gmail.com> <CAOtMX2jtABfLSa9NjVTNdo3=WNhF2qJTqBMZqDGeT10uVD7j4w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 11. Juni 2016 18:31:25 MESZ, schrieb Alan Somers <asomers@freebsd.org>: > On Sat, Jun 11, 2016 at 5:32 AM, Domagoj Stolfa > <domagoj.stolfa@gmail.com> wrote: > > Yes, it would maybe make sense to do so. I am not too familiar with > > capsicum(4), but glancing over it, it might be possible. If > anything, it > > would allow for code reuse from the OpenBSD ports and increased > portability > > in the future. Maybe the people who have worked with capsicum(4) or > have > > developed it could give some more insight on this. > > > > I don't see how it would be possible. Capsicum is all about file > descriptors. When you call cap_enter(), you give up the ability to > access global namespaces. For example, you can no longer open files > (except using openat(2) for files in a subdirectory of a directory > which is already opened). OTOH, pledge is all about sycalls. When > you pledge, you give up the ability to use certain syscalls, > regardless of what file descriptors they might involve. So for > example, a program that uses pledge(2) to prohibit networking syscalls > can't simply replace pledge(2) with cap_enter(2), because it may need > to open files after pledging. > > -Alan Thanks for the clarification, Alan. So pledge(2) would, if implemented in FreeBSD, complement capsicum. They would only overlap around file descriptors, where capsicum could enforce a processes pledge like to only ever write to one file which is its logfile. Florian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87672BA7-6724-45EB-B173-920DCEC39564>