I’ve started work on implementing a linux version of openbsd’s pledge - a security mechanism that helps stop exploited programs from doing things they shouldn’t.
I did it using seccomp-bpf which is a new tool (that came about to help Chromium build a better safer sandbox) that allows you to add filtering scripts to the kernel, we just use it in a very basic way here though.
[Comment removed by author]
[Comment removed by author]
OpenSSH is portable and pledged. You could try enabling the pledge calls in the portable version :)
I think it wont work, as example
scpcallspledgevery early and later callsexecvpto run local commands, withseccompthis process would be limited too, with OpenBSDspledgethe new executed programm is not pledged.I implemented a similar function but its not usable at all and I just printed out which calls would be accepted to test and see how far this would be possible with
seccomp. https://github.com/Duncaen/OpenDoas/blob/master/libopenbsd/pledge-seccomp.cThe current implementation of OpenBSDs pledge has some whitelisted paths that can be accessed, which is not possible to implement with seccomp afaik. The paths parameter too but for the application I would use
pledgethis is currently not necessary.Do you have any plans about using the
seccompdirectly instead oflibseccomp? Maybe by making use of the helpers from https://github.com/torvalds/linux/tree/master/samples/seccompIf you plan to add more syscalls I would like to test and use your implementation with OpenDoas.
Thanks for sharing this, even if its not usable yet :)
Seccomp would need to be combined with ptrace, unfortunately.