I am not expert on pledge and chroot in OpenBSD, so don't get me too serious on this.
If I understand correctly enough, for me one thing missing is ability to restrict processes also after fork() AND execve().
I think it could be used to build sandbox environment using chroot().
Create chroot, then drop privileges inside chroot (became another user), then pledge not using system calls referring to login as another user (especially root) and after that start Firefox.
I think it could be quite difficult for attacker to go out of this chroot, read files outside chroot and send them through Internet.
But maybe I am wrong on something.
Add2:
I understand that for some programs it is not fitting well for example shell i.e. ksh should be able to pledge itself tightly and also processes executed by ksh should not be pledged by default at all.
On the other hand maybe there is a place for second kind of promise exec to also pledge other executed programs (fork() AND execve()).
But maybe there are more difficulties than I see.
Last edited by e1-531g; 23rd January 2016 at 01:37 PM.
Reason: Added second part of post
|