Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I am just its (mostly happy) user. I wrote that rule on my phone so you are right, it is not complete. On the other hand raw sockets require CAP_NET_RAW capability which is often assigned to root only so running a capability-untreated binary as an unprivileged user should not allow any raw socket ops (ping often uses file capabilities or setuid root).

AFAIK it requires root to load/reload profiles. And that is fine for me, my use-case is hardening of services running on my server.

For ad-hoc restriction of untrusted software you can already use stuff like FireJail https://firejail.wordpress.com/

But I agree that software developers know their software the best so they should be the ones writing the rules and ideally configure them depending on automake/configure paths (i.e. different PREFIX, this software/profile separation is annoying) but pledge() looks too old and non-flexible for such a job IMO. Most software need file ops but don't need to write everywhere.



> Firejail

I'm sure it's great but it requires setuid privileges. If it needs root it isn't ad-hoc.

> But I agree that software developers know their software the best so they should be the ones writing the rules

Exactly! You get it. pledge() is basically an App Store permissions model in spirit. It's curated and, like Android / Apple devs, the developer is thinking about what permissions they'll need to ask for at each step of writing their program. Not needing root is an important aspect of enabling that. The good news is that with SECCOMP BPF and Landlock I think we finally have a comprehensive solution for building the perfect unprivileged sandbox.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: