OpenBSD Journal

Pre-5.9 pledge(2) update

Contributed by tj on from the no-broken-promises dept.

In a continuing series of pledge(2) reports, Theo de Raadt (deraadt@) gives us the latest update before the 5.9 freeze.

Time for another report on pledge.  A few items.

     int
     pledge(const char *promises, const char *paths[]);

For the next upcoming release, we will disable the 'paths' argument.
Reasoning: We have been very busy making as much of the tree set the
promises right in applications, and building a few new promises as
well.  We simply don't have enough time to review the kernel code and
make sure it is bug-free.  We'll use the next 6 months development
cycle to decide on paths, and then re-audit the tree to use the
interface where it is suitable.

The base tree (/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/games)
contains 652 ELF binaries. 451 use pledge.  201 do not. Approximately
47 do not need or cannot use pledge.  Leaving 154 we could potentially
pledge in the future.  Most of those are not very important.  There
are a few hot spots, but most of what people use has been handled well
by the team.

The sndiod subsystem now has been privsep'd, and also uses a new
"audio" pledge to contain the ioctl operations against the sound
device.

Robert, with some help from Kettenis for a "drm" pledge to control
ioctls agaist the drm subsystem, recently started using pledge in
chrome.  chrome is already designed for sandboxing (it uses seccomp
and various other technology on android and linux systems).  pledge
turns out to be an incredibly simple adaptation.  This does however
leave us in the strange situation where firefox has W^X but lacks
pledge, and chrome has pledge but lacks W^X.

Amazing progress has been made in this development cycle. As a reminder, an early version of pledge was included in 5.8 (when it was called "tame") but no programs actually used it then. In just a few months' time, well, the numbers speak for themselves. We're looking forward to 5.9 with these improvements, and 6.0 is set to be even better.

(Comments are closed)


Comments
  1. By Anonymous Coward (203.217.30.84) on

    Pledge^(W^X) :)

    Comments
    1. By Anonymous Coward (109.163.234.8) on

      > Pledge^(W^X) :)

      More like Pledge|(W^X)

    2. By Damon (198.7.62.199) on

      > Pledge^(W^X) :)

      ( Pledge && W ) || ( Pledge && X )

  2. By Anonymous Coward (79.247.189.118) on

    Theo claimed:

    "652 ELF binaries. 451 use pledge. 201 do not. Approximately
    47 do not need or cannot use pledge. Leaving 154 we could potentially
    pledge in the future. "

    is there any List avaiable? Can a user generate the list as well to "validate" it?

    Comments
    1. By Theo de Raadt (199.185.136.55) on

      > Theo claimed:
      >
      > "652 ELF binaries. 451 use pledge. 201 do not. Approximately
      > 47 do not need or cannot use pledge. Leaving 154 we could potentially
      > pledge in the future. "
      >
      > is there any List avaiable? Can a user generate the list as well to "validate" it?

      find [bunch of directories] -type f ... file
      ... grep ELF -> ~652
      Using that list: 451 by grep'ing or nm + grep for 'pledge'
      201 by using subtraction
      ~47 by recognizing programs like: reboot, true, umount, sysctl which perform the most
      154 by using subtraction

      There is no need to "validate". The purpose of the list is to (a) demonstrate many programs are using pledge successfully without regressions (b) gloat a little (c) approximate the unfinished work with some metric (rather than none).

      Like all metrics, you need to find your own perceived value of the metric. In my mind, it counts the remainder which are hard to pledge or we would have already done them.

      I keep removing the list, because approximately once a week it becomes out of date.

      Comments
      1. By Sebastian Rother (79.247.189.118) on

        > > Theo claimed:
        > >
        > > "652 ELF binaries. 451 use pledge. 201 do not. Approximately
        > > 47 do not need or cannot use pledge. Leaving 154 we could potentially
        > > pledge in the future. "
        > >
        > > is there any List avaiable? Can a user generate the list as well to "validate" it?
        >
        > find [bunch of directories] -type f ... file
        > ... grep ELF -> ~652
        > Using that list: 451 by grep'ing or nm + grep for 'pledge'
        > 201 by using subtraction
        > ~47 by recognizing programs like: reboot, true, umount, sysctl which perform the most
        > 154 by using subtraction
        >
        > There is no need to "validate". The purpose of the list is to (a) demonstrate many programs are using pledge successfully without regressions (b) gloat a little (c) approximate the unfinished work with some metric (rather than none).
        >
        > Like all metrics, you need to find your own perceived value of the metric. In my mind, it counts the remainder which are hard to pledge or we would have already done them.
        >
        > I keep removing the list, because approximately once a week it becomes out of date.

        Thank you Theo,

        I did not wanted to say you lied or anything. I just did forget it's that easy.

        Btw: Your idea is realy good. Even we don't like each others (via e-Mail [and NOT eMail, who allowed this shit to get into CVS.. *grml*])

        I deeply respect this idea.. simply, easy to use for programmers, easy to understand (most importent, related to programmers!).. Thank you for sharing it with everybody!

        Kind regards,
        Sebastian

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]