On Mon, 21 Dec 2015 09:51:07 -0500 Jiri B <ji...@devio.us> wrote: > Respect for your work but I'm asking myself - what is > the attack vector? > > IMO pdf viewers, browsers and similar apps would have > much bigger sense to pledge(). Unfortunatelly they are > huge beasts :/ > > j. >
yes they are huge beasts, but they can still be forced into cages. half my posts seem to refer to back to this, but.. you can try: 'isolating untrusted programs in ssh chroot jails' https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 i run my browser and pdf viewers in them. i make sure too that my pdf/djvu viewers don't have net access either using pf. i try to leverage most of the mitigation facilities available in base (though so far i haven't yet seriously experimented with systrace). Mr. Coppa previously reported that he managed it with firefox. i mention the programs i could and couldn't jail in the post.
