[prev in list] [next in list] [ prev in thread ] [ next in thread ] List: openbsd-tech Subject: pledge status From: Theo de Raadt <deraadt () openbsd ! org> Date: 2015-11-28 7:52:22 Message-ID: 12994.1448697142 () cvs ! openbsd ! org [Download RAW message or body] I've been sending out these reports about pledge status every few weeks; it is kind of fun so I will continue. Early on, I modified ps(1) so that it can show whether a process is pledged in some fashion. This shows up as a little 'p' in the STAT field. (It tends to be the last character of the field, so let's use that below). 'p' does not tell you how strict the requests are, but it indicates some developer(s) put effort into restricting what the process will do. Let's look at that (play along at home) % ps aguxww | grep 'p *' [list of processes which are pledged] % ps aguxww | grep -v 'p *' [list of processes which are not pledged, much shorter] Some curious things show up, depending on what you are running on your system. If you are running X, you may also have xconsole. For both X and xconsole you will see one process is pledged, the other is not. This is priviledge seperation showing itself a bit more obviously. So far, we've been able to pledge one half of the process grouping, but not the other half. Give us time, maybe we can build requests for the other halves. If you are running smtpd, you will probably be happy with the result. gilles and eric designed (the monster) as many processes, then glued them together into fewer. As a result, the pflogd shows the same behaviour; one side is pledged, the other is not. tcpdump does the same. Trust me, the gory scary bits are pledged. The master processes are lying around to do an ioctl. You'll soon see that sshd and ssh are not yet pledged (well, the sshd pre-auth is..). There is some work starting on those, somewhat slowly. The moniker "swiss army knife" shows itself here, because these are very complicated programs that can at quite arbitrary times use a wide variety of system capabilities. In my view, the most important programs not yet pledged are: sshd ssh sftp sftp-server dhclient mountd lpd lpr lpq lprm (yes, legacy software, but still) xconsole (the other half) xdm sndiod (work in progress, stay tuned for a great commit!) spamd (the entire toolset) ifstated ospfd ospf6d Some other minor routing daemons Also a few other pieces of software are incompletely pledged, and need some refactoring them when the right people find time. Particularily: relayd snmpd That is simply because these are complicated pieces of software. It is the same story as ssh and sshd. pledge is a high-level syscall blocker, but in syscall intensive programs the principles can become difficult (or impossible) to apply, and other methods attempt to make that software fail when it misbehaves. If you are running ports.. well.. that can't happen yet. [prev in list] [next in list] [ prev in thread ] [ next in thread ]