Context Navigation

Changes between Version 89 and Version 90 of mmcco

Timestamp:: Dec 31, 2015, 10:37:32 PM (8 years ago)
Author:: mmcco
Comment:: apostrophe

Legend:

: Unmodified
: Added
: Removed
: Modified

mmcco

v89	v90
175	175	=== Initialization ===
176	176
177		OpenBSD's new privilege revocation system call [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2 pledge(2)] is based on the concept that programs do most of their privileged operations during initialization, eventually dropping into a main loop that is "boring and full of buffer overflows". The `pledge(2)` model therefore allows the process all privileges until it makes the system call. This is fundamentally different from approaches such as App^^Armors, which have a static privilege list stored outside the program that is always enforced.
	177	OpenBSD's new privilege revocation system call [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2 pledge(2)] is based on the concept that programs do most of their privileged operations during initialization, eventually dropping into a main loop that is "boring and full of buffer overflows". The `pledge(2)` model therefore allows the process all privileges until it makes the system call. This is fundamentally different from approaches such as App^^Armor's, which have a static privilege list stored outside the program that is always enforced.
178	178
179	179	The `pledge(2)` model makes more sense for network programs like Pidgin and is easier to implement. In these cases, we trust the ''binary'' to not be malicious, but we don't trust the remote network entities it interacts with, and we don't trust the binary to protect us from them. Many other access control frameworks results attempt to protect the system from potentially malicious binaries, which can add complicating rigidity.