pledge() enhancement

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

pledge() enhancement

Luke Small
I didn't like how rmdir(2) managed to not work when there were contents to
be deleted, so I wrote a function that would. Obviously leaving a function
like this laying around is dangerous, especially in an application server.
Can you put in pledge functionality that would reduce the ability to access
locally accessible functions?
-Luke Small
Reply | Threaded
Open this post in threaded view
|

Re: pledge() enhancement

Ingo Schwarze
Hi Luke,

Luke Small wrote on Fri, Nov 13, 2015 at 06:01:37PM -0600:

> I didn't like how rmdir(2) managed to not work when there were contents to
> be deleted, so I wrote a function that would. Obviously leaving a function
> like this laying around is dangerous, especially in an application server.
> Can you put in pledge functionality that would reduce the ability to access
> locally accessible functions?

I see why you might sometimes wish to restrict the use of functions
you write yourself inside your program.  However, that is not
possible with pledge(2), it's the wrong tool for the job.  Pledge
is a kernel feature.  When you call your own function in a userland
program, the kernel never sees the calls to that function, so it
can't do anything about it.

With pledge, it is not even possible to restrict the use of C library
functions that work without performing syscalls, for exactly the same
reason: Such calls never make it into the kernel, so the kernel cannot
intercept and deny them.

In case somebody wants to continue this discussion, please do so
on the misc@ mailing list, not on bugs@.  There is no bug here.

Yours,
  Ingo