Misc. BSD/UNIX Porting OpenBSD pledge() to Linux

[J65nko]

From https://justine.lol/pledge/

Quote:

OpenBSD is an operating system that's famous for its focus on security. Unfortunately, OpenBSD leader Theo states that there are only 7000 users of OpenBSD. So it's a very small but elite group, that yields a disproportionate influence; since we hear all the time about the awesome security features these guys get to use, even though we usually can't use them ourselves.

Pledge is like the forbidden fruit we all covet when the boss says we must use things like Linux. Why does it matter? It's because pledge() actually makes security comprehensible. Linux has never really had a security layer that mere mortals can understand.

[snip]

I originally wrote my pledge() polyfill for the redbean web server as a sandboxing solution. However it turns out pledge() is robust enough as an abstraction that I thought it'd be useful to create a small command line utility which launches processes under pledge(), so that anyone can use it, without having to configure it in C code.

[ripe]

I am far from any elite group haha!!!

[fvgit]

Quote:

Originally Posted by J65nko

However it turns out pledge() is robust enough as an abstraction that I thought it'd be useful to create a small command line utility which launches processes under pledge(), so that anyone can use it, without having to configure it in C code.

The command-line implementation doesn't seem to be universally admired. Here's an interesting discussion with OpenBSD developer Dave Voutila about this very topic.