> The problem of exec(2) is if we permit it (without herited tame flags) > your program has a way to go out his expected behaviour. For example, if > a tamed program has a bug that permit execution of code, the attacker > would just has to do "exec(something-else)" to escape the imposed > policy. Without exec(2), the attacker has just a limited subset of > syscalls allowed.
Actually the attacker would do: copy address space to new program with "fattr" attribute, make it executable execve That is an escape. execve by default is wrong. tame is starting at the bottom end, allowing us to define small semantics which cover most programs. As we move up the stack towards more complicated programs, other tame features will show up. Be patient