William Ahern <will...@25thandclement.com> wrote:
> Rather, the point of pledge and unveil is to make that
> deliberate refactoring as pleasant and minimal as is practicable.
Indeed, after the first 10 programs were converted to use pledge, it
became very obvious what would happen next:
"priv-drop everything"
The first priv-drop program in OpenBSD was ping, that was well before
pledge.
After pledge, 80% of the base programs were converted to pledge-assisted
priv-drop, because it was really obvious that "initialization code" could
and should be moved earlier in the program, so that pledge (or multiple
pledge calls dropping permissions further) could be added to the
program.
Inside the group, we called this moving of initialization code to
earlier "hoisting".
Moving the initialization code upwards is the hard part. There is no
need to decide on what the pledge should be, because the movement goal
is decided by the semantic seperation of the pledge promises features.
We didn't add "minimal pledge" to each program. We aren't stupid
like that. Instead, pledge was a tool to refactor all the programs
and separate them into initialization + main loop.
Go look at nc/netcat.c. Automated software could conceivably create
that outcome?? That's laughable.
The proposal is blind to how pledge gets used.
