1. 20

I’ve started work on implementing a linux version of openbsd’s pledge - a security mechanism that helps stop exploited programs from doing things they shouldn’t.

I did it using seccomp-bpf which is a new tool (that came about to help Chromium build a better safer sandbox) that allows you to add filtering scripts to the kernel, we just use it in a very basic way here though.

  1.  

  2. [Comment removed by author]

    1. [Comment removed by author]

      1. 6

        OpenSSH is portable and pledged. You could try enabling the pledge calls in the portable version :)

        1. 1

          I think it wont work, as example scp calls pledge very early and later calls execvp to run local commands, with seccomp this process would be limited too, with OpenBSDs pledge the new executed programm is not pledged.

    2. 3

      I implemented a similar function but its not usable at all and I just printed out which calls would be accepted to test and see how far this would be possible with seccomp. https://github.com/Duncaen/OpenDoas/blob/master/libopenbsd/pledge-seccomp.c

      The current implementation of OpenBSDs pledge has some whitelisted paths that can be accessed, which is not possible to implement with seccomp afaik. The paths parameter too but for the application I would use pledge this is currently not necessary.

      Do you have any plans about using the seccomp directly instead of libseccomp? Maybe by making use of the helpers from https://github.com/torvalds/linux/tree/master/samples/seccomp

      If you plan to add more syscalls I would like to test and use your implementation with OpenDoas.

      Thanks for sharing this, even if its not usable yet :)

      1. 1

        The current implementation of OpenBSDs pledge has some whitelisted paths that can be accessed, which is not possible to implement with seccomp afaik. The paths parameter too but for the application I would use pledge this is currently not necessary.

        Seccomp would need to be combined with ptrace, unfortunately.