:: Re: [DNG] Apparmor Excalibur issues
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MDidier Kryn at <-
M 
Delete this message
Reply to this message
Author: Kevin Chadwick
Date:  
To: dng
New-Topics: [DNG] Secure computing [Was: Re: Apparmor Excalibur issues]
Subject: Re: [DNG] Apparmor Excalibur issues


-------- Original Message --------

> Dunno if they can be used together.

On OpenBSD Pledges filesystem counterpart is unveil. Many programming languages
have pledge support which is just informing the kernel when to restrict syscall
usage or filesystem access for this process from now on. Note it doesn't need to
be done at the beginning and can happen multiple times at any point of the
program so one run of a program with some command line arguments might be more
restricted than another. It doesn't require suid either. Firefox is pledged and
Unveiled on OpenBSD. It can be a little problematic that only the download
folder is accessible by Firefox but you can configure Firefox not to tell the
kernel to restrict it which must be in Firefox code. Pledge and unveil seem to
stick to UNIX syscall semantics and so I expect are fairly nice at least for an
experienced UNIX programmer to use, I believe Theo Deraadt designed most of it).
I don't know of any Linux unveil support and the pledge kernel support is likely
a patch that isn't upstreamed so landlock might be more Linux centric/adopted. I
hadn't heard of it until now.

https://man.openbsd.org/man2/pledge.2
https://man.openbsd.org/unveil.2

Regards, Kc
This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] mdadm 4.5 for daedalusRe: [DNG] dracut needing a fork? apt wants to remove elogind libraries->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)