Landry Breuil <landry@openbsd.org> wrote:
> Well, i managed to have a 'video' pledge class, so you can probably get
> an 'uhidioctl' class :)
I still feel the addition of 'video' pledge was an abuse of the concept.
firefox has done a pretty weak version of privsep that requires a
'master process' to have nearly all the pledges. The pledge options are
designed to encourage best-practice privsep, but firefox wants to
operate a master process with such a vast subset of full-posix, it is as
if it doesn't use pledge at all.
It is similar with unveil, with this new diff. That process wants to
use a library which accesses many tens of files. This new subsystem
hasn't been seperated out into a process with a specific purpose.
pledge tries to tighten two problems at the same time
1) decreased abilities for what the process can do when it's memory is
invaded
2) decreased exposure to the kernel
The addition of these device-specific ioctl's is fighting against
both tightenings.
No comments:
Post a Comment