> On Wed, Jan 25, 2017 at 12:33:36AM -0700, Theo de Raadt wrote: > > > 2. vmd calls openpty() in the pledged parent whenever a new VM is > > > started - effectively doing ioctls on post-pledge fds. I will > > > probably solve this by opening the pty in the non-pledged "priv" > > > process, and do some additional passing, but then I'll also have to > > > give up its chroot to access /dev/. > > > > > > vmd: ioctl 40287401 post-pledge fd 12 > > > vmd(51681): syscall 54 "tty" > > > > How about opening PATH_PTMDEV early and keeping it open in a > > properly protected process; then create pty pairs as required. > > Oh, yes, I should have looked at openpty() in libutil first :) > That makes sense, I will try it.
But please don't become too attached to the proposed semantics. It's a proposal, we need to learn if it actually helps or hinders privsep programs become better.
