Date: Fri, 01 Apr 2022 10:37:48 +0000 From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: David Chisnall <theraven@FreeBSD.org> Cc: freebsd-hackers@freebsd.org Subject: Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support Message-ID: <202204011037.231AbmQ7002360@critter.freebsd.dk> In-Reply-To: <16ab7cdb-32b4-5ffe-f6a8-a657383b3078@FreeBSD.org> References: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com> <01320c49-fa7e-99d2-5840-3c61bb8c0d57@FreeBSD.org> <2d103b77-84d4-fbd7-d957-21b9aa4d5d79@gmail.com> <16ab7cdb-32b4-5ffe-f6a8-a657383b3078@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-------- David Chisnall writes: > > pledge()/unveil() are usually used for fairly well-disciplined > > applications that either don't run other programs or run very specific > > programs that are also well-disciplined and don't expect too much > > (unless you just drop the pledges on execve()). > > The execve hole is the reason that I have little interest in pledge as > an enforcement mechanism. That (and the name) is why I have never seen it as an enforcement mechanism, but only as a special case of asserts: "I pledge that I'm not going to ... (until I tell you otherwise), fail me if I do". It is not obvious to me what role the "curtain" proposal is intended to play, or what role the originator of that proposal think pledge()/unveil() has ? What is the level of ambition and the use-cases here ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202204011037.231AbmQ7002360>