diff options
| author | Klemens Nanni <klemens@posteo.de> | 2021-06-06 23:00:43 +0000 |
|---|---|---|
| committer | June McEnroe <june@causal.agency> | 2021-06-09 09:41:22 -0400 |
| commit | 3d931d0f5a0c9665774c34ce894ce4a4a9c932c0 (patch) | |
| tree | 723f9a27ec53720c86450b606006960e8b354287 /handle.c | |
| parent | OpenBSD: unveil after ncurses(3) init to support TERMINFO (diff) | |
| download | catgirl-3d931d0f5a0c9665774c34ce894ce4a4a9c932c0.tar.gz catgirl-3d931d0f5a0c9665774c34ce894ce4a4a9c932c0.zip | |
OpenBSD: pledge minimum promises from the start
catgirl needs: - "stdio tty" at all times - "rpath inet dns" once at startup for terminfo(5) and ssl(8) - "proc exec" iff -R/restrict options is disabled - "rpath wpath cpath" iff -s/save or -l/log options is enabled Status quo: catgirl starts with the superset of all possible promises "stdio rpath wpath cpath inet dns tty proc exec", drops offline with "stdio rpath wpath cpath tty proc exec" and possibly drops to either of "stdio rpath wpath cpath tty", "stdio tty proc exec" or "stdio tty" depending on the options used. Such step-by-step reduction is straight forward and easy to model along the process runtime, but it comes with the drawback of starting with too broad promises right from the beginning, i.e. `catgirl -R -h host' is able to execute code and write to filesystems even though it must never do so according the (un)used options. Lay out required promises up front and pledge in two stages: 1. initial setup, i.e. fixed "stdio tty" plus temporary "rpath inet dns" plus potential "rpath wpath cpath" plus potential "proc exec" 2. final rutime, i.e. fixed "stdio tty" plus potential "rpath wpath cpath" plus potential "proc exec" This way the above mentioned usage example can never execute or write files, hence less potential for bugs and more accurate modelling of catgirl's runtime -- dropping "inet dns" alone in between also becomes obsolete with this approach.
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions