Stuart Henderson <[email protected]> wrote: > On 2021/03/16 09:28, Theo de Raadt wrote: > > > > > > Yes, I know, it's a "better than nothing" solution. I tried to make it > > > run for all use cases, which is quite wide as you said. > > > > Hang on -- it is not "better than nothing". It leaves the programs with > > enough abilities so that, if it got holed, it could still do everything it > > needs to do to own the system. pledge and unveil are used elsewhere to > > ensure privdrop/privsep designs, and here it is not doing that. > > Absolutely. A pledge which (after startup) allows the combination > of both file access and network io really makes me question if the pledge > is going to do anything useful.
The suggested pledge allows everything required for exploitation, while removing minor system (posix and defacto standard) features which will result in immediate process termination. This addition of pledge cannot be justified. Stuart and I want everyone on this list to understand WHY this is a bad idea, because "let's add pledge, it works for me" style diffs are arriving on a regular basis.
