Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support

From: Shawn Webb <>
Date: Thu, 31 Mar 2022 19:37:34 UTC
On Thu, Mar 31, 2022 at 03:33:06PM -0400, Ed Maste wrote:
> On Thu, 31 Mar 2022 at 06:25, David Chisnall <> wrote:
> >
> > Capsicum simply disallows '..' in paths.
> This is no longer true as of 7359fdcf5ffa. During a lookup the kernel
> checks that each ".." component specifies a directory that has already
> been visited in this name lookup call.
> > The execve hole is the reason that I have little interest in pledge as
> > an enforcement mechanism.
> Note that execve is only available if the "exec" keyword is specified.
> The child does not inherit the parent's limits, though.

I wonder if there's opportunity here for a little divergence. I think
inheritance would be a good thing. But this is more a philosophical
and subjective argument than a technical one.

Shawn Webb
Cofounder / Security Engineer