Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support

Reply: Mathieu : "Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support"
In reply to: Mathieu : "curtain: WIP sandboxing mechanism with pledge()/unveil() support"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ed Maste <emaste_at_freebsd.org>
Date: Wed, 30 Mar 2022 16:14:29 UTC

On Mon, 28 Mar 2022 at 05:38, Mathieu <sigsys@gmail.com> wrote:
>
> Hello list.  Since a while I've been working on and off on a
> pledge()/unveil() implementation for FreeBSD.  I also wanted it to be
> able to sandbox arbitrary programs that might not expect it with no (or
> very minor) modifications.

Interesting work - I'm happy to see development with the mac framework
and I plan to take a good look at it once I have a bit more time.

I have a couple of quick comments from an initial brief look. First,
the update to pledge's declaration in crypto/openssh/openbsd-compat
belongs upstream in the openssh-portable project; we'll then just pick
it up with a subsequent import. Second, following on from David
Chisnall's comment about userland abstraction, there's another example
of this concept in the "Super Capsicumizer 9000" at
https://github.com/unrelentingtech/capsicumizer. It interposes libc
and uses LD_PRELOAD, so won't work with statically linked binaries
(and has other limitations) but the example it presents is sandboxing
an unmodified gedit.