Contributed by tbert on from the a-tamed-wolf-is-still-a-dog dept.
Theo de Raadt (deraadt@) has just released a call for testing of an initial conversions of programs in OpenBSD base to use the tame(2) API:
This is for those of you interested in tame, and skilled enough to play along.
This is a set of almost 100 diffs to programs in the tree to use tame. These have been done by myself, doug, florian, semarie, and a few other people I forget. I would make a rough guess these changes took about 100 hours of developer time; so making programs use tame() is pretty efficient. None of these examples uses the path whitelist yet. It is not perfect or final, but it shows the strategy for applying them to the base. It can make it through a 'make build'. Feel free to do tests, look for mistakes, or write diffs for other programs. Be careful writing such diffs; you need to fully understand the program and handle all cases. Not all programs can be tamed, some behaviours (like execve) are not compatible with features tame can do.
The full diff follows in the original message. For those of you curious to see how it works in practice, now you know. For those of you looking to get your hands dirty, it's time to rise to the challenge!
(Comments are closed)