Will Redox-OS use pledge?
Created by: redox-questions
https://man.openbsd.org/pledge.2 https://news.ycombinator.com/item?id=10537268 https://www.openbsd.org/papers/eurobsdcon2017-pledge.pdf
What is Pledge?
pledge is a system call.
Calling pledge in a program is to promise that the program will only use certain resources.
Another way of saying is to limit the operation of a program to its needs, e.g.,
"I pledge not to use any other ports except port 63"
"I pledge not to use any other system-call except lseek() and fork()"
How does it make a program more secure?
It limits the operation of a program. Example:
You wrote a program named xyz that only needs the read system-call.
Then you add pledge to use only read but nothing else.
Then a malicious user found out that in your program there is a vulnerability by which one can invoke a root shell.
Exploiting your program to open a root shell will result that the kernel will kill the process with SIGABRT (which cannot be caught/ignored) and generate a log (which you can find with dmesg).
It happens because before executing other codes of your program, it first pledge not to use anything other than read system call. But opening root shell will call several other system-calls which is forbidden because its already promised not to use any other but read.
Where is Pledge?
Its usually in a program. Usage:
#include <unistd.h> int pledge(const char *promises, const char *paths[]);
Example Code: Example code of cat command from cat.c
........ #include <unistd.h> ........ int ch; if (pledge("stdio rpath", NULL) == -1) err(1, "pledge");
while ((ch = getopt(argc, argv, "benstuv")) != -1) ..........
Will Redox OS use it?
Thanks.