Alexander Nasonov <al...@yandex.ru> wrote: > Theo de Raadt wrote: > > The following change only permits system calls from address-ranges > > in the process which system calls are expected from. > > Just curious if some approximation of pledge can be reimplemented > in userspace with more granular libc.so's text segments?
I don't understand the question. Please note a common misconception. Pledge isn't about blocking system calls. Rather, it blocks system behaviours in catagories. A subset of that is done by blocking system calls. A large subset of that is not done by blocking system calls, but instead their actions, based upon the full parameter context. When you suggest granularity you are surely talking about system call blocking, so that ignores parameters, so it is not at all like what pledge does, so you can understand my confusion.
