OpenBSD Journal

Call for Testing: Using tame() in userland

Contributed by tbert on from the a-tamed-wolf-is-still-a-dog dept.

Theo de Raadt (deraadt@) has just released a call for testing of an initial conversions of programs in OpenBSD base to use the tame(2) API:

This is for those of you interested in tame, and skilled enough to
play along.
This is a set of almost 100 diffs to programs in the tree to use tame.
These have been done by myself, doug, florian, semarie, and a few
other people I forget.  I would make a rough guess these changes took
about 100 hours of developer time; so making programs use tame() is
pretty efficient.

None of these examples uses the path whitelist yet.

It is not perfect or final, but it shows the strategy for applying
them to the base.  It can make it through a 'make build'.  Feel free
to do tests, look for mistakes, or write diffs for other programs.

Be careful writing such diffs; you need to fully understand the
program and handle all cases.  Not all programs can be tamed, some
behaviours (like execve) are not compatible with features tame
can do.

The full diff follows in the original message. For those of you curious to see how it works in practice, now you know. For those of you looking to get your hands dirty, it's time to rise to the challenge!

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]