* community/gsoc/project_ideas.mdwn: add a link security_enhancements.mdwn * community/gsoc/project_ideas/security_enhancements.mdwn: new file
security_enhancements.mdwn: mentions unveil, pledge, and arc4random. --- community/gsoc/project_ideas.mdwn | 1 + .../project_ideas/security_enhancements.mdwn | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 community/gsoc/project_ideas/security_enhancements.mdwn diff --git a/community/gsoc/project_ideas.mdwn b/community/gsoc/project_ideas.mdwn index c68cfd66..3f4827b1 100644 --- a/community/gsoc/project_ideas.mdwn +++ b/community/gsoc/project_ideas.mdwn @@ -116,6 +116,7 @@ project_ideas: community/gsoc/project_ideas/hardware_libs community/gsoc/project_ideas/cdparanoia community/gsoc/project_ideas/perl_python + community/gsoc/project_ideas/security_enhancements community/gsoc/project_ideas/testsuites community/gsoc/project_ideas/testing_framework community/gsoc/project_ideas/libcap diff --git a/community/gsoc/project_ideas/security_enhancements.mdwn b/community/gsoc/project_ideas/security_enhancements.mdwn new file mode 100644 index 00000000..c4adb0fc --- /dev/null +++ b/community/gsoc/project_ideas/security_enhancements.mdwn @@ -0,0 +1,35 @@ +[[!meta copyright="Copyright © 2025 Free Software Foundation, Inc."]] + +[[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable +id="license" text="Permission is granted to copy, distribute and/or modify this +document under the terms of the GNU Free Documentation License, Version 1.2 or +any later version published by the Free Software Foundation; with no Invariant +Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license +is included in the section entitled [[GNU Free Documentation +License|/fdl]]."]]"""]] + +[[!meta title="Security Enhancements"]] + +Developers could improve the Hurd by adding various security +extentions: + +- The hurd lacks a high quality random number generator that can be + called inside libc, inside the kernel, inside pthread, etc. A good + example function is + [arc4random](https://man.openbsd.org/arc4random.3). + +- The Hurd lacks a method to restrict system calls like + [pledge](https://man.openbsd.org/pledge.2). Pledge is one of the + easier ways to limit what things a running program can do. + + pledge ("stdio rpath wpath", NULL); + + OpenBSD developers created pledge but coded it inside their kernel. + The Hurd would rather add this in userspace via FIXME. How would we + port pledge to the Hurd? Is this something that we want? I think + so. + +- The Hurd lacks a way to restrict paths of the VFS like + [unveil](https://man.openbsd.org/unveil.2). + + unveil ("/etc/fstab", "r"); -- 2.50.1
