OS hacking: Let's implement pledge() like OpenBSD!

Interesting to see you "play" with the functionality you just implemented at the end, think it's a good sign when you get non trivial/non-intuitive results ("oh of course this process needs access to x, y and z"). Kinda transcends what you expected and makes you truly understand stuff. Like not only does pledge acts as a protection but it's also a contract declaring what you are going to consume, not only a safeguard for security but also resource consumption or more, a sanity check etc.

Andreas, thank you so much for your videos. Big fan

I’m today’s episode of 👏 Security 👏 Month, a love story straight from a soap opera:
“Don’t worry, pledge! I’ll make space for you, even if it takes a while...”
_A solid 5/7_
~ IGN
_A beautiful masterpiece_
~ The Simon

Nice, never heard of pledge before, I guess all this OS Hacking stuff got you there :o

wth is this channel and why the f am i only just finding it now!? THIS is what ive wanted on a linux channel for years, straight up dope need more people going through common programs showing us what we can do and showing man page entries the general process fom a coding side! its this sorta thing that my brain has never understood. like i can write a little cpp and a little python maybe js using node but i havent ever gotten anything from a manpage cause my adhd just goes "wtf am i supposed to read or take from this mass of text!?" thank you for the channel i am now addicted!

Grand Master at work. I love it. Please continue.

This is super interesting! Makes me wonder, though - what do you think about the idea of having a C++ api for syscalls etc for the userland, which would be nicer to use than C-style calls? You know, using AK::Strings, enum classes, etc.
So a call to, say,
int pledge(const char*, const char*)
becomes something like
Result pledge(PledgeMask, PledgeMask)
or whatever.
I feel like that's an interesting idea to think about (although maybe too much for the current scope and too much work for the little bit of "niceness" it would add), but would enforce a lot just through the typesystem alone! Something like that would move problems like straight up invalid strings or other invalid things into the userspace, as a responsibility of the callee.
I'm aware it's just a geeky idea that isn't very practical, but in general, do you have any thoughts on this?

lets share this one !

Instead of checking the pledges for every syscall, do you think it would be possible to patch the syscall table for the process to remove all calls that are not allowed after the pledge?

Promises, and they still feel all so wasted on myself♬

This is great. Thank you.

No seccomp? ;)

While watching I was wondering, in your macros you write do { ... } while(0). Is there a difference between that and instead writing { ... }, where the latter makes a local scope? Or is there some other reason that I don’t see also?

You shouldn't copy the worst syscalls. Use a bitmask, not a string.

This is kinda like seccomp I guess, neat :)

Adding things to a pledge would eliminate the entire point.
A lot of that syscall could probably be put into a method you call twice with a couple pointers.
Edit:
VALIDATE_PROMISE perhaps?
Edit:
Might be interesting if you could mark a page as superuser when it's used in a syscall then copy it if userspace assessees it. Might be able to eliminate a bunch of attacks and might not have too much overhead.

Never heard of pledge, what a crappy idea. It would be better if the compiler where modified to inspect the calls made by the binary and build some sort of mask that was handed to the kernel rather than relying on the user to specify it manually in the source ......