:: [DNG] Secure computing [Was: Re: A…
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MKevin Chadwick at ->
Delete this message
Reply to this message
Author: Didier Kryn
Date:  
To: dng@lists.dyne.org
Old-Topics: Re: [DNG] Apparmor Excalibur issues
Subject: [DNG] Secure computing [Was: Re: Apparmor Excalibur issues]
Le 25/02/2026 à 16:54, Kevin Chadwick via Dng a écrit :
>
> -------- Original Message --------
>
>> Dunno if they can be used together.
> On OpenBSD Pledges filesystem counterpart is unveil. Many programming
> languages
> have pledge support which is just informing the kernel when to
> restrict syscall
> usage or filesystem access for this process from now on. Note it
> doesn't need to
> be done at the beginning and can happen multiple times at any point of the
> program so one run of a program with some command line arguments might
> be more
> restricted than another. It doesn't require suid either. Firefox is
> pledged and
> Unveiled on OpenBSD. It can be a little problematic that only the download
> folder is accessible by Firefox but you can configure Firefox not to
> tell the
> kernel to restrict it which must be in Firefox code. Pledge and unveil
> seem to
> stick to UNIX syscall semantics and so I expect are fairly nice at
> least for an
> experienced UNIX programmer to use, I believe Theo Deraadt designed
> most of it).
> I don't know of any Linux unveil support and the pledge kernel support
> is likely
> a patch that isn't upstreamed so landlock might be more Linux
> centric/adopted. I
> hadn't heard of it until now.
>
> https://man.openbsd.org/man2/pledge.2
> https://man.openbsd.org/unveil.2
    Sure it can change during the course of the program, but only by
restricting furthermore the permissions, not by relaxing them. But I
think the best place to call for restrictions is at the beginning,
before any harmfull action can hapen. At least as early as possible.

    I forgot yet another system on Linux! Seccomp (secure computing).

    With Seccomp, a program can restrict which system-calls it is
allowed to call. The functionality is apparently the same as OpenBSD's
Pledge, but with a much more complicated API. The complexity of this API
is normal because it is the interface to the system-call proper and
there is still no wrapper to this system-call in the C runtime library.
Since Pledge isn't available on Linux, it might make sense to develop a
userspace wrapper to Seccomp whith the API of Pledge.

    The existence of both Seccomp and capabilities let me think that
the only additional feature provided by capabilities is to store the
capabilities in the attributes of the executable file.

--     Didier


This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-[DNG] Mail back end recommendationRe: [DNG] Secure computing [Was: Re: Apparmor Excalibur issues]->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)