From owner-freebsd-current@freebsd.org Sat Jun 11 16:31:26 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB4C3AEF30A for ; Sat, 11 Jun 2016 16:31:26 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9FE65211B for ; Sat, 11 Jun 2016 16:31:26 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-oi0-x22b.google.com with SMTP id p204so154082619oih.3 for ; Sat, 11 Jun 2016 09:31:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=QJCMcGFeU2DzjcT7k31zGF+VLWNwMe38QYm6A6fkYpw=; b=QrnY/ykSnguTOzN5PtR3SSH7mPtZm9WjTV1/iyQJMi7YvmPStlabJC+hpRhsgMXwEf rQ2Zy0bpjm00+r+gT7fhiAr0x7diVWm4FhN145+O97Cjvm9v2g0tHNlDl13RanToQiJA Z7sExErClbHZQFBSwMf9UMgV63+ZmIX1u2p98AC/KRu7SdRs17hzX6txIHbXiLQmw/NQ 24JfoYEWXDNpH6VFgDeDixHdgizY0IuApOwIo+9IasCUZkT9uTEbjNulgpsoZAelKXSS 40xf4V2IjPLdxlU3kspvQoKpgc6UQUmX9jr4J/I53AuFMeGx9pAoeL9xek9tv6kc2IXY nf8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=QJCMcGFeU2DzjcT7k31zGF+VLWNwMe38QYm6A6fkYpw=; b=G2mfLm36ycvfqaHix5DFkU9K7pHVLgyB7NKrZzUwxhJcNeAR3c1pFJletZsey5XqCX IjASnSJpX7pWBjnvFnbVbIIKUAiSn70U38+m0CD6sWqpVJVEA/Hw1akEliJuGcRdYCo0 bG01HbFXLWtxoorhYMPBgRYhbg+mzoIBZEcoxtxA17BvC3MuEFgl+Uv4TJ87zEKjbZY8 X3h7KEyLXAQ2GJPRFmIROVLjZ9ckd5gh8Jsrb6GzT7OoGLel326UCC4FV614NWSY7mCq f0/SyV1tU4L/SE2xFlJWuOqHj+8YnfgXcZ04JmrHGZa5JnbpG6xCOHZsq1X4KpMH8qZj wJXg== X-Gm-Message-State: ALyK8tIF3KE2PqL78Vfyf3HKYCBVVxcHaIARKnzkequhBWbqiXTNmmT8GwqUAeCwTcd9mVtCGQyYmFTeIxJLtA== X-Received: by 10.202.93.65 with SMTP id r62mr3906340oib.182.1465662685843; Sat, 11 Jun 2016 09:31:25 -0700 (PDT) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.202.102.206 with HTTP; Sat, 11 Jun 2016 09:31:25 -0700 (PDT) In-Reply-To: References: <20160611103834.GA75085@lyxys.ka.sub.org> <1F5A9247-7C98-483C-A4BD-4A3D54208B3D@alumni.tu-berlin.de> From: Alan Somers Date: Sat, 11 Jun 2016 10:31:25 -0600 X-Google-Sender-Auth: k_2A_ndwFxwQf-w3K-sWClVxMls Message-ID: Subject: Re: The OpenBSD pledge To: Domagoj Stolfa , Wolfgang Zenker , Florian Ermisch Cc: FreeBSD CURRENT Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jun 2016 16:31:27 -0000 On Sat, Jun 11, 2016 at 5:32 AM, Domagoj Stolfa wrote: > Yes, it would maybe make sense to do so. I am not too familiar with > capsicum(4), but glancing over it, it might be possible. If anything, it > would allow for code reuse from the OpenBSD ports and increased portability > in the future. Maybe the people who have worked with capsicum(4) or have > developed it could give some more insight on this. > I don't see how it would be possible. Capsicum is all about file descriptors. When you call cap_enter(), you give up the ability to access global namespaces. For example, you can no longer open files (except using openat(2) for files in a subdirectory of a directory which is already opened). OTOH, pledge is all about sycalls. When you pledge, you give up the ability to use certain syscalls, regardless of what file descriptors they might involve. So for example, a program that uses pledge(2) to prohibit networking syscalls can't simply replace pledge(2) with cap_enter(2), because it may need to open files after pledging. -Alan