On Tue, 22 Dec 2015 03:53:54 -0500 Jiri B <ji...@devio.us> wrote: > On Mon, Dec 21, 2015 at 03:34:43PM -0500, dan mclaughlin wrote: > > yes they are huge beasts, but they can still be forced into cages. half my > > posts seem to refer to back to this, but.. you can try: > > > > 'isolating untrusted programs in ssh chroot jails' > > https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 > > > > i run my browser and pdf viewers in them. i make sure too that my pdf/djvu > > viewers don't have net access either using pf. i try to leverage most of > > the mitigation facilities available in base (though so far i haven't yet > > seriously experimented with systrace). > > > > Mr. Coppa previously reported that he managed it with firefox. i mention > > the programs i could and couldn't jail in the post. > > I don't understand why do you switch topic from pledge() > to chroots... > > j. >
you originally said: > Respect for your work but I'm asking myself - what is > the attack vector? > > IMO pdf viewers, browsers and similar apps would have > much bigger sense to pledge(). Unfortunatelly they are > huge beasts :/ > "unfortunately they are huge beasts", and you are right. in this post https://marc.info/?l=openbsd-ports&m=144822758614817&w=2 Theo said: > You can't pledge a program if you don't understand what it is doing, > and why. > > Misapplication of pledge like this will result in a nightmare. it's hard to understand what a huge beast is doing, so while pledge is a good thing, it may not work for such things, *especially* modern web browsers. so as an alternative, i mentioned the mitigation facilities in base that can at least help. dedicated user, chroot, X11 security extensions, Xephyr, pf. i also mentioned systrace(1), even though i have not used it much myself, because it does similar things to pledge (ie restricting syscalls, etc). at the very least, in a chroot running as a non-priviledged user, it should remove a great deal of the attack surface. and those facilities can be used now, rather than waiting for someone to pledge() those programs later.
