From owner-freebsd-current@freebsd.org Mon Jun 13 10:40:20 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0B804AF17AC for ; Mon, 13 Jun 2016 10:40:20 +0000 (UTC) (envelope-from domagoj.stolfa@gmail.com) Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6F0582BB6 for ; Mon, 13 Jun 2016 10:40:19 +0000 (UTC) (envelope-from domagoj.stolfa@gmail.com) Received: by mail-lf0-x22a.google.com with SMTP id j7so58006941lfg.1 for ; Mon, 13 Jun 2016 03:40:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=kDJQNiy5pDNm5Cj4b8laZhqAVBMhENp1D0VyFCv9ZRA=; b=J+jRHS2c38dqT9DiVCqHxLy4mDlSl8gxY61dne3cxyZkXv+Bvz+XgdmX+Gpo/WoJCK +YAeMLM0pEhfVWLsGtcYRwn28jXinypHH/CFsb4zhlPPvEtNQJ7C+hw95VknPy3uCmg7 6ETy55UwBEFfyKuDuQlktqFqAnAyPEWuKHRfE7BBV7E1Bl3vAYKpT7D7j5oTqsj6o7c/ xJY14F1hyobltgJyMbWhs1G3Yo+BKHHj12Ifj3wa30E5LcCC13dtOSD5PiZ7wx1htnK9 ZJIh2Au3NBhk3OG9jmXrXRJ7e4KjwVn+4OTgTm6YrmX8J31YP66WjmgZOBwvQ9lOYwB3 p05Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=kDJQNiy5pDNm5Cj4b8laZhqAVBMhENp1D0VyFCv9ZRA=; b=BQOp/QgdFJ7x3HUZfE6F/7i0aak/edZMP/DC5r+OTciJ/9ugontiWlUHXdyY8ocb6Q LtR41bnz2yRBdDCiJvYBxA0WqBcwVIMF36IMDR9mGi1IDb7ouWkL0+v4VeJgwgs/2eNb Y0Eu3kBpwdrKE6SZqI24oB44wL8/SO0VBQ+SVNiCjYYgg/g2XJEmaQPnanPOIXm3GIpd Y2BYIsW5plbMALud4ggiM2jhChxDN5KN5mV4chh8gdxwTd1pC+CWeyoo7MA4VtIC6iQT lrWksLyzQd+eS4DMwS93BDxakhY5UY2/QzWm08qEVeGDiZJTyGW/WB1DvKuTw2AuRgnC yPnw== X-Gm-Message-State: ALyK8tKpxQazskW1uUkZ/3x2OSk8r2vq3CSob0We6foToPDIY4diIdRDunJbDKfhnRwmhE1JBGciv/nYiA7MLw== X-Received: by 10.25.131.141 with SMTP id f135mr106210lfd.42.1465814417470; Mon, 13 Jun 2016 03:40:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.114.173.15 with HTTP; Mon, 13 Jun 2016 03:40:16 -0700 (PDT) In-Reply-To: <87672BA7-6724-45EB-B173-920DCEC39564@alumni.tu-berlin.de> References: <20160611103834.GA75085@lyxys.ka.sub.org> <1F5A9247-7C98-483C-A4BD-4A3D54208B3D@alumni.tu-berlin.de> <87672BA7-6724-45EB-B173-920DCEC39564@alumni.tu-berlin.de> From: Domagoj Stolfa Date: Mon, 13 Jun 2016 12:40:16 +0200 Message-ID: Subject: Re: The OpenBSD pledge To: freebsd-current@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jun 2016 10:40:20 -0000 On Mon, Jun 13, 2016 at 9:44 AM, Florian Ermisch < florian.ermisch@alumni.tu-berlin.de> wrote: > > > Am 11. Juni 2016 18:31:25 MESZ, schrieb Alan Somers : > > On Sat, Jun 11, 2016 at 5:32 AM, Domagoj Stolfa > > wrote: > > > Yes, it would maybe make sense to do so. I am not too familiar with > > > capsicum(4), but glancing over it, it might be possible. If > > anything, it > > > would allow for code reuse from the OpenBSD ports and increased > > portability > > > in the future. Maybe the people who have worked with capsicum(4) or > > have > > > developed it could give some more insight on this. > > > > > > > I don't see how it would be possible. Capsicum is all about file > > descriptors. When you call cap_enter(), you give up the ability to > > access global namespaces. For example, you can no longer open files > > (except using openat(2) for files in a subdirectory of a directory > > which is already opened). OTOH, pledge is all about sycalls. When > > you pledge, you give up the ability to use certain syscalls, > > regardless of what file descriptors they might involve. So for > > example, a program that uses pledge(2) to prohibit networking syscalls > > can't simply replace pledge(2) with cap_enter(2), because it may need > > to open files after pledging. > > > > -Alan > > Thanks for the clarification, Alan. > So pledge(2) would, if implemented in > FreeBSD, complement capsicum. > They would only overlap around file > descriptors, where capsicum could > enforce a processes pledge like to only > ever write to one file which is its logfile. > > Florian > It indeed does seem like they could complement each other. One could pledge the entire program and use capsicum(4) to limit certain file descriptors even further, but not the rest of the program, such as a TCP socket. This does seem like increased simplicity in limiting the whole program using pledge(2) and the additional benefit that capsicum(4) offers in terms of file descriptors. The question remains though, how would they interact with each other? A single pledge(2) call, as Alan said could limit the operation of capsicum(4). Domagoj