Sun, 10 Apr 2016 14:23:02 -0700 Brennan Vincent <bren...@umanwizard.com> > Got it. Thanks for the explanation. > > On Sun, Apr 10, 2016, at 01:36 PM, Stuart Henderson wrote: > > On 2016/04/10 20:50, Nicholas Marriott wrote: > > > Hi > > > > > > What's the use for this? What program could use it? > > > > > > On Sun, Apr 10, 2016 at 08:48:08AM -0700, Brennan Vincent wrote: > > > > Subject basically says it all. I think some could find it useful to have > > > > `pledge` promises optionally persist even after the process calls > > > > execve. This could, for example, be implemented with an `exec_noreset` > > > > pledge that gives access to the same syscalls as `exec`, but with this > > > > restricted behavior. > > > > > > > > Is there a good technically reason this can't or shouldn't be done, or > > > > has it simply not been implemented yet? > > > > It doesn't seem like something that would be widely usable - a big > > part of how pledge is designed is based around the fact that programs > > typically need a higher level of access during startup (to open files, > > persistent sockets, etc) and can then be ratcheted down to a very small > > set of system calls after init is done. > > > > I don't think there's a technical reason why it couldn't be done, > > but it would add complexity in a security-sensitive area so it's > > unlikely to happen without a number of real-world use cases.
In fact, there is persistence you just maybe don't see it from the best view point yet. It is ensured by proper program design (every step of execution possible) and privilege drop (separation, pledge, expand this here) using various (OpenBSD specific, and not only) methodologies. It is a voluntary choice of system and application design, and is present in Unix class of operating systems, also gaining popularity in others...
