On 2019/01/21 22:34, Theo de Raadt wrote: > This approach seems backwards. > > It is hiding sensors from programs which are pledged (ie. we put effort into > security, therefore a fig leaf for privacy) > > But.. in programs we cannot pledge, we continue exporting. > > Yes chrome is pledged so permanently has no access to the information. > > I am not loving this.
Agreed. The way pledge works for everything else is to disable the subsystem by default and allow programs to opt in. If restricting location information is needed then an approach more like the microphone disabling might make more sense. It seems more a "per user" decision than a "per app" decision. (Of course most programs would never need it - but the browsers, i.e. what people are most worried about, arguably *do* have a reason to opt in). On 2019/01/21 23:19, Constantine A. Murenin wrote: > Wouldn't this break sensorsd? (It's already been converted to use pledge.) Yes. And using "sensors" as a proxy for "location" doesn't make a lot of sense either - that affects probably about 3 people who "ldattach nmea". To actually improve things for the majority of users, it needs to restrict bssid+nwid from wlan scan results.
