Landry Breuil <[email protected]> wrote: > > As I said before, I am uncomfortable pushing this policy mechanism into > > the kernel to be used by *only one program*. > > I never said it was *only* for firefox.
You are right. It is I that said it is only for firefox. Because that is the only diff on the table. There are no diffs for additional programs. ALWAYS, when a feature was added to pledge, there were multiple programs ready to use it. > Right now, any program using the > v4l api can't be pledged or then loses the ability to talk to the camera > device. Ok, in base there's only video(1), but in ports > there's mplayer, ffmpeg, vlc, gstreamer, sane, etc.. I don't see any diffs for those. > I know blindly adding pledge everywhere in the ports tree isnt a primary > target, but i think huge programs with big attack surface (like all the > video players) would be good contenders. You are effectively adding *ALL* the pledges to the main firefox program, and asking for even more pledges, exposing even more abilities. Please explain how this is making it more secure. What I see is an insecure program which probably expects POSIX semantics, being thrown into a pledges world where a large number of semantics change. > > Sorry, but that isn't how pledge is developed / extended. > > I thought it was developed by experimenting with things, and then > iterating on them. As far as i see from the cvs log for the pledge > kernel subsystem and the basesystem programs conversion, that's how it > was developed. Start with a set of syscalls subsets, then add a new > syscall to a subset when needed because it's a valid usecase (or change > the program behaviour to hoist the syscall usage), or separate a set of > syscalls in a new class. That is incorrect. PLURAL usage case diffs were always written in parallel. > I don't see how different the video pledge i'm proposing is from the > other classes of syscalls that were added for > bpf/drm/tape/audio/disklabel/pf/tty/route. They were all added to allow > for a subset of ioctls on a particular type of device. > > How is my approach different here ? Well for one, I am having a very hard time seeing how it adds security to that firefox process.
