Re: FWIW: sysrestrict

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 24/07/2016 à 22:57, Joerg Sonnenberger a écrit :
> On Sun, Jul 24, 2016 at 01:09:46PM +0200, Maxime Villard wrote:
> > The goal of sysrestrict (and pledge, and whatever else) is not to provide the
> > perfect feature that will control absolutely everything. The goal is just to
> > provide an additionnal, simple layer of restriction. It is a combination of
> > such features that can mostly reach the granularity you want. Sysrestrict for
> > syscalls, UNIX file permissions for VFS, kauth for kernel permissions, Veriexec
> > for binary permissions, etc.
>
> Frankly, I haven't seen many use cases for pledge so far that actually
> make sense. While I do see a certain sense in allowing a fully sandboxed
> process hierachy, that can already be obtained to a degree with ptrace.
> If you want to actually get something like this into the tree, you should
> start at the beginning. What problem is it trying to solve, why is that
> problem relevant and how does is it gotten solved?

It's just obvious: we don't want ftpd to call modctl, or execve (even if it
currently does), or mount, or reboot, or swapctl, etc. And it gets solved
by restricting those syscalls.

I didn't start this thread with the intention of getting anything into the
tree. As I said, it is just an idea.