summary refs log tree commit diff
path: root/LICENSE
diff options
context:
space:
mode:
authorKlemens Nanni <klemens@posteo.de>2021-06-06 23:00:43 +0000
committerJune McEnroe <june@causal.agency>2021-06-09 09:41:22 -0400
commit3d931d0f5a0c9665774c34ce894ce4a4a9c932c0 (patch)
tree723f9a27ec53720c86450b606006960e8b354287 /LICENSE
parentOpenBSD: unveil after ncurses(3) init to support TERMINFO (diff)
downloadcatgirl-3d931d0f5a0c9665774c34ce894ce4a4a9c932c0.tar.gz
catgirl-3d931d0f5a0c9665774c34ce894ce4a4a9c932c0.zip
OpenBSD: pledge minimum promises from the start
catgirl needs:
- "stdio tty" at all times
- "rpath inet dns" once at startup for terminfo(5) and ssl(8)
- "proc exec" iff -R/restrict options is disabled
- "rpath wpath cpath" iff -s/save or -l/log options is enabled

Status quo:  catgirl starts with the superset of all possible promises
"stdio rpath wpath cpath inet dns tty proc exec", drops offline with
"stdio rpath wpath cpath tty proc exec" and possibly drops to either of
"stdio rpath wpath cpath tty", "stdio tty proc exec" or "stdio tty"
depending on the options used.

Such step-by-step reduction is straight forward and easy to model along
the process runtime, but it comes with the drawback of starting with
too broad promises right from the beginning, i.e. `catgirl -R -h host'
is able to execute code and write to filesystems even though it must
never do so according the (un)used options.

Lay out required promises up front and pledge in two stages:
1. initial setup, i.e. fixed "stdio tty" plus temporary "rpath inet dns"
   plus potential "rpath wpath cpath" plus potential "proc exec"
2. final rutime,  i.e. fixed "stdio tty"
   plus potential "rpath wpath cpath" plus potential "proc exec"

This way the above mentioned usage example can never execute or write
files, hence less potential for bugs and more accurate modelling of
catgirl's runtime -- dropping "inet dns" alone in between also becomes
obsolete with this approach.
Diffstat (limited to 'LICENSE')
0 files changed, 0 insertions, 0 deletions
1-09Define macro for bit flag enumsJune McEnroe 2019-11-08Check that password is hashedJune McEnroe 2019-11-08Avoid calling getopt_long again after it returns -1June McEnroe 2019-11-08Only change AWAY status for registered clientsJune McEnroe 2019-11-07Just write the example normallyJune McEnroe 2019-11-07Include path in readlinkat errorJune McEnroe 2019-11-07Call clientConsume before clientRecvJune McEnroe 2019-11-06Use -l:filename in Linux.mkJune McEnroe 2019-11-06Fix compat.h for #defined strlcpyJune McEnroe 2019-11-06Allow unsetting LIBRESSL_PREFIXJune McEnroe 2019-11-06Document calico service configurationJune McEnroe 2019-11-06Document SASL EXTERNAL configuration in more detailJune McEnroe 2019-11-06Document pounce service configurationJune McEnroe 2019-11-06Mention Darwin and GNU/Linux in READMEJune McEnroe 2019-11-06Assume LibreSSL from brew on DarwinJune McEnroe 2019-11-06Remove -DNO_EXPLICIT_BZERO from Darwin.mkJune McEnroe 2019-11-06Don't install rc scripts or dirs on LinuxJune McEnroe