From nobody Wed Mar 30 16:14:29 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2891D1A34735
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Wed, 30 Mar 2022 16:14:44 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: from mail-il1-f182.google.com (mail-il1-f182.google.com [209.85.166.182])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KTBN26Xr0z3t27
	for <freebsd-hackers@freebsd.org>; Wed, 30 Mar 2022 16:14:42 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: by mail-il1-f182.google.com with SMTP id 14so10164838ily.11
        for <freebsd-hackers@freebsd.org>; Wed, 30 Mar 2022 09:14:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=maGTE4092P61htpemOd5Ah0BZPSIPjfHtdMZ3tM39kA=;
        b=awb3OsdtcTSktLBtoDhw1xeX3dPRpNZ2JELk2VO6dr8SXdNIGeZ36StaWH/LRn7Zg3
         eC6EtbefWxXKuXPTNR7WHL8sC03NDVCrb87V5Uwxk7CXagB+NrpYwe+haksSxjXxfBK4
         HVVSjQJ2JyC8XUJUBDWSC1bOZ5Dlz+AtaA9EOyx8T2q+lWIEwAgyYqQrmwsi9O8zPdjE
         yvsBGogPpEu48JJyPYXbB7OMzDVL4xv2C7xRR2+KO3EQyCDw1A447giwbRZAR+4fMhfp
         u2XL1RbCd4YHjyggXahVLjOFJ99QHHoOpEH/6ojx0qf7veb/pI0B6FnqScUbWIZ/b4Ji
         Ye+w==
X-Gm-Message-State: AOAM532Sh7bOMmr6V6h4XiJOFt/WpgGxWACj3T2rLbmveON2kpqj0y+9
	18IsZDKyhuH84Xdf95VvpljrZsm6cPcADCam0g0=
X-Google-Smtp-Source: ABdhPJzo9UPeTsOLzkmVBSRaKZnTjJ6RIkEvzhPEJ/rmLOuFITXU7OCALsm0wrOOewGe/dMe22WCr/LRtSE9WICiwMY=
X-Received: by 2002:a05:6e02:1c2a:b0:2c9:defa:d061 with SMTP id
 m10-20020a056e021c2a00b002c9defad061mr2938619ilh.260.1648656882058; Wed, 30
 Mar 2022 09:14:42 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
References: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com>
In-Reply-To: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com>
From: Ed Maste <emaste@freebsd.org>
Date: Wed, 30 Mar 2022 12:14:29 -0400
Message-ID: <CAPyFy2CK1s63-joiTACYnoiOAODHVNDk5Ahyax16BSK8moWxwg@mail.gmail.com>
Subject: Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support
To: Mathieu <sigsys@gmail.com>
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 4KTBN26Xr0z3t27
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.182 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com
X-Spamd-Result: default: False [-0.64 / 15.00];
	 ARC_NA(0.00)[];
	 FREEFALL_USER(0.00)[carpeddiem];
	 FROM_HAS_DN(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c];
	 RCVD_TLS_ALL(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	 DMARC_NA(0.00)[freebsd.org];
	 NEURAL_SPAM_MEDIUM(0.96)[0.964];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 TO_DN_ALL(0.00)[];
	 NEURAL_HAM_SHORT(-0.61)[-0.605];
	 RCPT_COUNT_TWO(0.00)[2];
	 RCVD_IN_DNSWL_NONE(0.00)[209.85.166.182:from];
	 MLMMJ_DEST(0.00)[freebsd-hackers];
	 FREEMAIL_TO(0.00)[gmail.com];
	 FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com];
	 RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.182:from];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	 FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 RCVD_COUNT_TWO(0.00)[2]
X-ThisMailContainsUnwantedMimeParts: N

On Mon, 28 Mar 2022 at 05:38, Mathieu <sigsys@gmail.com> wrote:
>
> Hello list.  Since a while I've been working on and off on a
> pledge()/unveil() implementation for FreeBSD.  I also wanted it to be
> able to sandbox arbitrary programs that might not expect it with no (or
> very minor) modifications.

Interesting work - I'm happy to see development with the mac framework
and I plan to take a good look at it once I have a bit more time.

I have a couple of quick comments from an initial brief look. First,
the update to pledge's declaration in crypto/openssh/openbsd-compat
belongs upstream in the openssh-portable project; we'll then just pick
it up with a subsequent import. Second, following on from David
Chisnall's comment about userland abstraction, there's another example
of this concept in the "Super Capsicumizer 9000" at
https://github.com/unrelentingtech/capsicumizer. It interposes libc
and uses LD_PRELOAD, so won't work with statically linked binaries
(and has other limitations) but the example it presents is sandboxing
an unmodified gedit.