It's like selinux, but how it should have been done. It shifts the onus of limiting system calls to the developer instead of the administrator who doesn't have the same experience tracing system calls while at the same time proving to the developer that their program was probably written out of order in the first place.
Does Linus do any lectures? Maybe he doesn't wish to 'waste time' on that. He admits he sits in his robe whilst overseeing the kernel. Notice Theo seems to do quite a few. A nice approach to getting people on board and doing things 'your way'.
Problem tho is that lots of suid programs can be exploited within the pledge limitation. Take the recent sudo vulnerability. Sudo needs to execute child processes, that's its job. A vulnerability in sudo that lets you execute arbitrary code to spawn a shell wouldn't be stopped by pledge because it has now way of telling if the execution is from malicious code or not - from an outside view they'd look the same. Mitigations can sometimes help but they are limited. I'm not sure if pledge would prevent elevation of privilege in cases where there's a code execution vulnerability.
Very impressive security awareness. I want to switch to OpenBSD as I've had enough of big data espionage. Today I installed OpenBSD 6.3 on my laptop (HP Notebook 15-ac125nd) but after a clean auto whole disk layout install it kept booting with a panic unfortunately.
What about adding something similar to interpreted languages like python, php, node ...? For example you call pledge in a python program and the interpreter can restrict its allowed syscalls. Maybe in the future the seccomp approach is not that bad because you can have different kind of filters for interpreted languages without having to write kernel code for every language. Just write a userspace library/function which generates bpf code or somehing advanced in the future.
All those geniuses like him or Linus Torvalds. It just seems it just natural that they cannot get along with each other. They are just too over confident with themselves (with good reason).
whitelist good idea, but what about excluding the usual suspects of rewriting commands and libexecs with blacklist. pledge never to write to /sbin /bin /usr/sbin /usr/libexec /usr/local/bin etc.
protect this man at all costs
It's like selinux, but how it should have been done. It shifts the onus of limiting system calls to the developer instead of the administrator who doesn't have the same experience tracing system calls while at the same time proving to the developer that their program was probably written out of order in the first place.
I found this very interesting! I hope to see pledge in other OS's specifically FreeBSD.
Hahahahahaha, right, FreeBSD is full of holes
very very very interesting !!
Does Linus do any lectures? Maybe he doesn't wish to 'waste time' on that. He admits he sits in his robe whilst overseeing the kernel. Notice Theo seems to do quite a few. A nice approach to getting people on board and doing things 'your way'.
Well, do not think Linus needs too. Linux kernel is basically in the majority of all Operatings Systems used. You can't say that about OpenBSD.
This is so good
Problem tho is that lots of suid programs can be exploited within the pledge limitation. Take the recent sudo vulnerability. Sudo needs to execute child processes, that's its job. A vulnerability in sudo that lets you execute arbitrary code to spawn a shell wouldn't be stopped by pledge because it has now way of telling if the execution is from malicious code or not - from an outside view they'd look the same.
Mitigations can sometimes help but they are limited. I'm not sure if pledge would prevent elevation of privilege in cases where there's a code execution vulnerability.
Use doas bro, sudo is bad for puffy
Very impressive security awareness. I want to switch to OpenBSD as I've had enough of big data espionage. Today I installed OpenBSD 6.3 on my laptop (HP Notebook 15-ac125nd)
but after a clean auto whole disk layout install it kept booting with a panic unfortunately.
What about adding something similar to interpreted languages like python, php, node ...? For example you call pledge in a python program and the interpreter can restrict its allowed syscalls. Maybe in the future the seccomp approach is not that bad because you can have different kind of filters for interpreted languages without having to write kernel code for every language. Just write a userspace library/function which generates bpf code or somehing advanced in the future.
Thank you HackFest for not providing the slides along with the video. I guess you guys are too l33t to bother with that.
All those geniuses like him or Linus Torvalds. It just seems it just natural that they cannot get along with each other. They are just too over confident with themselves (with good reason).
whitelist good idea, but what about excluding the usual suspects of rewriting commands and libexecs with blacklist. pledge never to write to /sbin /bin /usr/sbin /usr/libexec /usr/local/bin etc.