Bryan Steele Mar 9

A early criticism heard of #OpenBSD pledge(2) was that the kernel contained a small number of hardcoded path checks in order to avoid the broader rpath promise. This meant some paths were implicitly readable by programs in order to satisfy the needs of libc.

https://marc.info/?l=openbsd-cvs&m=177299080909460&w=2

OpenBSD is attempting to solve this by adding a new (non-public/non-exported*) __pledge_open(2) used by libc, which is like read-only open(2) whos file descriptors can not be written to, have attributes changed on them or passed with e.g: SCM_RIGHTS file descriptor passing.

https://marc.info/?l=openbsd-cvs&m=177302697522966&w=2

* Recall that OpenBSD has system call origin verification and no indirect syscall access.

This is still a WIP, some parts remain uncommitted, but an interesting semantic change, which _should_ be mostly transparent for applications using pledge(2) already with rpath, those relying on the implicit paths may need to add filesystem related promises and use unveil(2). 

'CVS: cvs.openbsd.org: src' - MARC

Show threadBryan Steele Mar 12

Heads up: The final parts of #OpenBSD __pledge_open(2) have been committed, libc uses it internally. Now programs that previously relied on being able to open(2) these implicitly allowed files _will fail_ unless the pledge(2) promises and any unveil(2) calls permit it.

https://marc.info/?l=openbsd-cvs&m=177310392512210&w=2

https://marc.info/?l=openbsd-cvs&m=177333038516545&w=2

'CVS: cvs.openbsd.org: src' - MARC

David LeadbeaterMar 19
Show threadBryan Steele 

David Leadbeater (welcome dgl@! ​) has shared some information regarding the recent __pledge_open(2) changes in #OpenBSD 7.9-beta, including some good advice for porters. 

https://marc.info/?l=openbsd-ports&m=177389567528083&w=2

'Pledge changes in 7.9-beta' - MARC

Mar 19 at 7:00amWeb